Saudi Arabia suspected in Bezos hack.
The Guardian reported on Tuesday that Amazon founder and Washington Post owner Jeff Bezos had his iPhone X hacked in May of 2018 via a malicious WhatsApp message sent from the personal WhatsApp account of Mohammad bin Salman (MBS), the Crown Prince of Saudi Arabia. The evidence comes from a report by FTI Consulting, which was hired in February 2019 to examine the phone after Bezos's security adviser received a warning that the device may have been targeted by an APT. Motherboard obtained FTI's report, which explained that MBS sent Bezos an unsolicited video attachment and an encrypted downloader over WhatsApp on May 1st, 2018, a little less than a month after Bezos and the Crown Prince exchanged phone numbers. The investigators weren't able to decrypt the downloader, but the report states that "within hours of the encrypted downloader being received, a massive and unauthorized exfiltration of data from Bezos' phone began, continuing and escalating for months thereafter."
United Nations human rights experts released a statement after examining the FTI Consulting report, concluding that it "suggests the possible involvement of the Crown Prince in surveillance of Mr. Bezos, in an effort to influence, if not silence, The Washington Post's reporting on Saudi Arabia. The allegations reinforce other reporting pointing to a pattern of targeted surveillance of perceived opponents and those of broader strategic importance to the Saudi authorities, including nationals and non-nationals. These allegations are relevant as well to ongoing evaluation of claims about the Crown Prince's involvement in the 2018 murder of Saudi and Washington Post journalist, Jamal Khashoggi." The UN officials called for an "immediate investigation by US and other relevant authorities." Most reporting seems to agree that Bezos was targeted due to his ownership of the Washington Post and the Post's employment of Khashoggi.
The Wall Street Journal cites cybersecurity and forensics specialists who noted that FTI's investigation is missing some important steps and pieces of evidence, the most prominent being the actual malware used to compromise the phone. Many observers suspect NSO Group's Pegasus tool, which has been in the news recently due to reports that the spyware exploited a vulnerability in WhatsApp to compromise targets' phones, but NSO strongly denies involvement in the Bezos hack. In a statement to CNN, the company said "Our technology was not used in this instance. We know this because of how our software works and our technology cannot be used on US phone numbers. Our products are only used to investigate terror and serious crime. Any suggestion that NSO is involved is defamatory and the company will take legal counsel to address this." FTI's report cited NSO's Pegasus tool and Hacking Team’s Galileo as examples of the type of spyware that can perform this type of exfiltration, but it didn't confirm that either was used in this instance.