An iPhone belonging to Amazon CEO Jeff Bezos likely was hacked by Saudi Arabian prince Mohammed bin Salman (MBS) or operatives working on his behalf, a technical report indicated.

Forensics on the phone showed it “was compromised via tools procured by Saud al Qahtani,” a close confidant of the prince, Motherboard cited a report by FTI Consulting as finding. Researchers also said the phone had not been infected with malware but did contain a suspicious file, whose download from a WhatsApp message preceded the months-long exfiltration of a large volume of data.

Hours after the encrypted downloader was received, “a massive and unauthorized exfiltration of data from Bezos’ phone began, continuing and escalating for months thereafter,” the report said, noting that the daily exfiltration of data on the phone ticked up from 430KB to 126MB after the video, which appeared to be a promotional video in Arabic about telecommunications. 

“The reporting indicates that Mr. Bezos was in a WhatsApp chat with KSA’s Mohammed bin Salman when — unprompted — the Prince sent him a video file,” said Rosa Smothers, senior vice president of cyber operations at KnowBe4, contending that the motive was striking at Bezos, who owns the Washington Post, which had reported extensively about the October 2018 murder by the Kingdom of the Post’s journalist Jamal Khashogi.”

Her colleague, Roger Grimes, data-driven defense evangelist at KnowBe4, expressed doubt that MBS himself had hacked Bezos’s phone, noting that using his own account would be “too immediately traceable.”

Instead, “it seems more likely that someone else broke into the Prince’s phone” by exploiting an unknown WhatsApp flaw “and then used his existing network of contacts and trust to spread to other targets, of which Bezos was one,” Grimes said.

“That part quickly points to a nation state intelligence agency,” he said, noting “the Saudis aren’t known for their cutting-edge hacking. Of course, any nation state can buy that expertise, which is what appears to have happened here.”