Against the backdrop of strengthened relations between the United States and Saudi Arabia over the past few years, relations began between Saudi Crown Prince Mohamed bin Salman and Amazon founder and Washington Post owner Jeff Bezos. The two initiated communications though WhatsApp in April 2018, but on May 1, cybersecurity experts at FTI Consulting believe the prince sent a downloadable video file containing hidden malicious code to Bezos’ iPhone through the popular messaging application. The malware went undetected for months while a proposal totaling $1 billion for Amazon to build multiple datacenters in Saudi Arabia was established. Around this same time, a series of critical and damning articles written about Prince Mohamed and the Saudi government were published by Washington Post columnist Jamal Khashoggi. For reasons still not completely explained, Khashoggi was murdered on October 2 by assailants with ties to Prince Mohamed and Saudi government, most notably al Qahtani, president and chairman of the Saudi Federation for Cybersecurity.
After the murder of the Washington Post columnist, tensions between the prince and Bezos increased. On January 10, 2019, a series of texts containing details of an affair between Bezos and his mistress surfaced in the National Enquirer. An investigation sparked by potential information implicated Prince Mohamed and the Saudi government as the source of the leak, and ultimately led to a full cybersecurity investigation of Jeff Bezos’ phone. At its conclusion, FTI Consulting stated with “medium to high confidence that Jeff Bezos’ iPhone X was compromised via malware sent from a WhatsApp account used by Saudi Crown Prince Mohamed bin Salman.” The UN, for its part, demanded a formal probe to begin on January 22, 2020.
An Advanced Persistent Threat in Action
An advanced persistent threat is a detailed attack wherein a bad actor puts long-term malware on a device in an effort to continuously gather data, or uses the malware to gain access to a network. In the case of Jeff Bezos, the attack began from a downloaded video sent from a trusted source, Saudi Crown Prince Mohamed, but there are many other ways advanced persistent threat attacks can be introduced to a device or network. The most common tactic is though malicious uploads/downloads or social engineering attacks that, in reality, companies face on a day-to-day basis. In the case of Bezos, after the video was downloaded, massive amounts of data were extracted from his iPhone that continued undetected for months. According to the UN, “FTI Consulting found that six months before the video download, Mr. Bezos’ phone averaged about 430 kilobytes egress of data per day, a small amount. Within hours of receiving the video, that number rose, and the phone started averaging 101 megabytes for months afterward.”
Threat actors commonly look for sensitive information, financial information, trade secrets or access to a network in an effort to cause damage to a company’s infrastructure. Actors using advanced persistent threat attacks are usually experienced government-funded cybercriminals who use the extracted data for political, financial or personal gain. The UN report references Saudi Arabia-owned Pegasus malware as a possible threat actor in the attack on Jeff Bezos. According to accounts, the malware costs a few hundred thousand dollars to create this type of NSO Group tool, then tens of thousands of dollars more to maintain. Saudi Arabia’s clear funding abilities, expertise in cybercrime and the attack on Bezos raises questions with regard to other reported communications between Prince Mohamed and other U.S. individuals.
With this recent high-profile cybercrime incident, companies and individuals are fine-tuning their cybersecurity practices to protect their organizations. When you receive emails, files or other communications from unknown individuals, always be cautious before opening. In the event it’s a known associate, always ask yourself if you were expecting the communication, and follow up over the phone if you aren’t sure.
How Can Schneider Downs Help?
The Schneider Downs cybersecurity practice consists of experts in multiple technical domains. Learn more about our cybersecurity services at www.schneiderdowns.com/cybersecurity or contact the Schneider Downs cybersecurity team at [email protected].