Crown Prince Mohamed and Jeff Bezos’ Rocky Relationship Leads to Hack, Murder

Against the backdrop of strengthened relations between the United States and Saudi Arabia over the past few years, relations began between Saudi Crown Prince Mohamed bin Salman and Amazon founder and Washington Post owner Jeff Bezos. The two initiated communications though WhatsApp in April 2018, but on May 1, cybersecurity experts at FTI Consulting believe the prince sent a downloadable video file containing hidden malicious code to Bezos’ iPhone through the popular messaging application. The malware went undetected for months while a proposal totaling $1 billion for Amazon to build multiple datacenters in Saudi Arabia was established. Around this same time, a series of critical and damning articles written about Prince Mohamed and the Saudi government were published by Washington Post columnist Jamal Khashoggi. For reasons still not completely explained, Khashoggi was murdered on October 2 by assailants with ties to Prince Mohamed and Saudi government, most notably al Qahtani, president and chairman of the Saudi Federation for Cybersecurity.

After the murder of the Washington Post columnist, tensions between the prince and Bezos increased. On January 10, 2019, a series of texts containing details of an affair between Bezos and his mistress surfaced in the National Enquirer. An investigation sparked by potential information implicated Prince Mohamed and the Saudi government as the source of the leak, and ultimately led to a full cybersecurity investigation of Jeff Bezos’ phone. At its conclusion, FTI Consulting stated with “medium to high confidence that Jeff Bezos’ iPhone X was compromised via malware sent from a WhatsApp account used by Saudi Crown Prince Mohamed bin Salman.” The UN, for its part, demanded a formal probe to begin on January 22, 2020.

An Advanced Persistent Threat in Action

An advanced persistent threat is a detailed attack wherein a bad actor puts long-term malware on a device in an effort to continuously gather data, or uses the malware to gain access to a network. In the case of Jeff Bezos, the attack began from a downloaded video sent from a trusted source, Saudi Crown Prince Mohamed, but there are many other ways advanced persistent threat attacks can be introduced to a device or network. The most common tactic is though malicious uploads/downloads or social engineering attacks that, in reality, companies face on a day-to-day basis. In the case of Bezos, after the video was downloaded, massive amounts of data were extracted from his iPhone that continued undetected for months. According to the UN, “FTI Consulting found that six months before the video download, Mr. Bezos’ phone averaged about 430 kilobytes egress of data per day, a small amount. Within hours of receiving the video, that number rose, and the phone started averaging 101 megabytes for months afterward.”

Threat actors commonly look for sensitive information, financial information, trade secrets or access to a network in an effort to cause damage to a company’s infrastructure. Actors using advanced persistent threat attacks are usually experienced government-funded cybercriminals who use the extracted data for political, financial or personal gain. The UN report references Saudi Arabia-owned Pegasus malware as a possible threat actor in the attack on Jeff Bezos. According to accounts, the malware costs a few hundred thousand dollars to create this type of NSO Group tool, then tens of thousands of dollars more to maintain. Saudi Arabia’s clear funding abilities, expertise in cybercrime and the attack on Bezos raises questions with regard to other reported communications between Prince Mohamed and other U.S. individuals.

With this recent high-profile cybercrime incident, companies and individuals are fine-tuning their cybersecurity practices to protect their organizations. When you receive emails, files or other communications from unknown individuals, always be cautious before opening. In the event it’s a known associate, always ask yourself if you were expecting the communication, and follow up over the phone if you aren’t sure.

How Can Schneider Downs Help?

The Schneider Downs cybersecurity practice consists of experts in multiple technical domains. Learn more about our cybersecurity services at www.schneiderdowns.com/cybersecurity or contact the Schneider Downs cybersecurity team at cybersecurity@schneiderdowns.com.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2020 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

Cybersecurity Best Practices for Working from Home amid the COVID-19 Pandemic
Cybersecurity Maturity Model Certification (CMMC)
Public Companies Cybersecurity Spotlight
Given Everything We Can Do Online, Why Not Voting?
Wawa Breach Update – Joker’s Stash Data Dump
Maze Ransomware

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102