UPDATE: Bezos' phone hack: NSO denies any involvement

News by Tony Morbin

NSO denies involvement in case of Jeff Bezos, alleged to have had his phone hacked via a video file from the WhatsApp account of Saudi Arabia's crown prince, Mohammed bin Salman.

A spokesperson for Israel's NSO Group Technologies, whose Pegasus spyware enables the remote surveillance of smartphones, has contacted SC Media UK to say that the company had no involvement in the hacking of Jeff Bezos' phone.  "It's not how we work and our technology cannot be used on US phone numbers", said the spokesman, referring to the company's official statement which says: "As we stated unequivocally in April 2019 to the same false assertion, our technology was not used in this instance. Our products are only used to investigate terror and serious crime."

The phrase 'in this instance' suggests NSO feel the need to emphasise it wasn't them - this time - though that could result in finger pointing every time there is a major phone hack and they don't issue a similar statement.

Below - edited original story:

It had been a curious story, with the world’s richest person, Jeff Bezos, worth some US$116.7 billion (£89 billion), founder of Amazon and owner of the Washington Post, alleged to have had his phone hacked in 2018 after receiving a video file sent to him from the WhatsApp account of Saudi Arabia’s crown prince, Mohammed bin Salman, who controls the Saudi royal family’s estimated US $1.4 trillion (£1 trillion) fortune.

It would be strange if the Prince himself were actively involved, but if his account was used by Saudi intelligence at his behest, they will no doubt face scrutiny no less than that which the Prince now faces.

Digital forensic analysis commissioned by Bezos himself and completed by FTI Consulting found large amounts of data were exfiltrated from Bezos’s phone within hours of him receiving the video file according to a report in The Guardian newspaper. Bezos’ Washington Post employed the journalist  Jamal Khashoggi, who was murdered in the Saudi consulate in Istanbul in October 2018.

According to Wired, citing UN findings, "the Saudi regime began exfiltrating large amounts of data from Bezos within hours of sending the tainted MP4 video file. FTI Consulting found that six months before the video download, an average of about 430 kilobytes of data came from Bezos’ phone per day, a small amount. Within hours of receiving the video, that number rose and the phone started averaging 101 megabytes for months afterward. The UN reports that this number sometimes even jumped into the gigabyte range."

The BBC has reported the Kingdom's US embassy saying the stories are "absurd" and that it called for an investigation into them, with subsequent tweets from the Kingdom repeating that line, saying:  “Recent media reports that suggest the Kingdom is behind a hacking of Mr. Jeff Bezos' phone are absurd. We call for an investigation on these claims so that we can have all the facts out.”

The Guardian also reported Ron Wyden, a Democratic senator from Oregon in the US describing the move as "part of a growing trend", citing reports that Saudi Arabia had acquired cyber-hacking capabilities from Hacking Team, based in Italy, and Israel’s NSO Group (which specifically denies involvement in this case - see above). A lawsuit was filed against NSO by What’sApp alleging that 1,400 users  - including 100 journalists, human rights activists and academics - were hacked over a two-week period between April-May 2019 using NSO malware, a claim NSO disputes saying its technology is intended to be used only to fight crime and terrorism. 

Prior to the renewed refutation by NSO of any involvement, Jake Moore, cybersecurity specialist at ESET emailed SC to suggest that this hack had  all the hallmarks of the Pegasus spyware. "When run on a device you will likely have no idea of what has just happened. Engineering a file to look like a photo or video that has come from a contact is the perfect way of executing the malware, so no doubt Bezos was unaware what had just occurred. 

Obviously NSO is not the only provider of sophisticated spyware used on highly targeted individuals.  Hence Moore's advice still stands, that people of high value or wealth need to be extremely cautious of such tactics used. Bezos may well have innocently clicked on the file in the message, but extreme caution should always be adhered to whenever something is received. Although difficult to reduce the risk, anyone who is a possible target, including people in the media and politicians, should always be aware of the risks.  

In an email to SC, Girish Bhat, VP of product marketing, at MobileIron, adds, "It is easy to conjure conspiracy theories when confidential data from a high profile individual is exposed.

"This is a classic phishing attack that used secure messaging as the attack vector and was designed to siphon user data from a high net worth individual, viz. Jeff Bezos. Phishing is the number one cyber-attack vector; the 2019 Data Breach Investigations Report revealed that phishing was involved in 32 percent of confirmed breaches, as well as 78 percent of cyber-espionage incidents.

"Mobile users are more susceptible to phishing attacks, as they are more likely to click on a malicious URL, which can give hackers access to all the user’s corporate and personal apps and data on the device. After a mobile device is compromised, it is relatively easy to use compromised credentials to initiate account take over (ATO) and then siphon sensitive information. Based on our understanding of this attack, a mobile-centric, zero trust platform with native mobile threat defence capabilities would protect users from these types of attacks."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews