Middle East "pager attacks" spark concerns over potential supply chain warfare
The activities in Lebanon and Syria may trigger a worldwide evaluation of the weaknesses encountered by tech firms with international manufacturing processes.
The incidents involved explosions from pagers and other handheld communication devices linked to the Iran-backed Hezbollah militant group, resulting in at least 32 fatalities and over 3,000 injuries. While reports suggest Israel is responsible for the attacks, it has not officially claimed involvement.
Security experts and analysts in supply chain management indicated that these incidents may serve as a blueprint for adversaries looking to exploit the often complex and opaque supply chains of everyday items, which traverse numerous countries before reaching retail outlets.
In the wake of these events, both private companies and public officials are assessing the potential policy implications. Some observers suggest that this could prompt governments to further curtail the flow of sensitive technology and encourage businesses to relocate manufacturing to domestic or friendly third-party locations. It is likely to compel manufacturers and logistics firms to reevaluate the security and transparency of their supply chains.
At the heart of these operations is B.A.C. Consulting, a Budapest-based company that seemingly functioned as a legitimate technology provider but was reportedly a cover controlled by the Israeli government, as per The New York Times. Whether the devices were initially compromised or tampered with later, the potential for explosives to have been added during manufacturing or shipping raises significant security concerns.
“This is likely to create some degree of panic in the private sector,” stated Bill Reinsch, a former official from the Commerce Department now at the Center for Strategic and International Studies. He added, “This could happen in other places and other sectors as well.”
In Congress, Rep. Jim Himes, the ranking member of the House Intelligence Committee, expressed that companies would likely reassess the security of their global operations. “It does certainly point to the risks associated with supply chains,” Himes remarked. “I would imagine there’s a lot of warehouse managers today, and you know, cargo ship owners who are doing a little bit of thinking about the security of their facilities.”
The devices are believed to have been equipped with a triggering mechanism, according to Elijah J. Magnier, a political risk analyst based in Brussels who has spoken with Hezbollah operatives. Users received an error message, which caused a vibration that led them to press buttons to silence the alerts, inadvertently triggering the concealed explosives.
B.A.C. Consulting that built its reputation by selling genuine products like pagers and walkie-talkies to various global customers, creating a facade of legitimacy vital for securing orders from Hezbollah, as reported by the Times.
Zoltán Kovács, the international spokesperson for the Hungarian government, stated on X that B.A.C. Consulting had "no manufacturing or operational site in Hungary," asserting that the “referenced devices have never been in Hungary."
However, with Israeli intelligence allegedly overseeing B.A.C.'s operations, there were claims that the manufacturing process was altered for shipments intended for Hezbollah. This raises questions about how these modified products successfully traversed international borders to reach recipients in Lebanon and Syria undetected, revealing significant vulnerabilities in the current technology procurement and manufacturing frameworks.
“This is the most extensive, publicly-known physical supply chain attack we’ve ever seen, may even see for a while,” claimed Dmitri Alperovitch, chair of the Silverado Policy Accelerator and co-founder of cybersecurity firm CrowdStrike. "Obviously there was some really exquisite intelligence that had to lead to the ability to interdict and plant explosives in thousands of devices."
Daniel Bardenstein, a co-founder and CTO of the software supply chain security firm Manifest, emphasized the need for buyers, whether governmental or private, to gain clearer insights into what they are purchasing. "We really need to change this paradigm globally about technology transparency," he said, having previously served as chief of technology strategy at the Cybersecurity and Infrastructure Security Agency.
Some familiar with Israeli military operations believe that the pagers could have been compromised at various points in the supply chain. "It can be on a ship, it can be in a factory. When you follow how the logistics go, it doesn't necessarily need to be in the factory itself,” explained retired Israeli Brig. Gen. Amir Avivi, founder and chair of the Israel Defense and Security Forum.
The covert operation has instigated widespread anxiety regarding electronic devices in Lebanon, indicating the broader implications of such attacks.
“If this pattern continues, it’s not going to be good for consumers. It’s not going to be good for businesses and it’s not going to be good for governments, who cannot possibly screen all these complex supply chains to ensure that they're secure," commented Vivek Chilukuri, a senior fellow in the Technology and National Security Program at the Center for a New American Security.
The exposure of Israel's operation against Hezbollah has also heightened scrutiny in Washington regarding the risks associated with dependence on hardware and software from potential adversaries like China, which stands as the world’s leading manufacturer.
"This incident is very unique, but it highlights the vulnerabilities that the U.S. and its allies accept by having so many of their hardware and software supply chains emanating from countries of concern, particularly China,” noted Mark Montgomery from the Center on Cyber and Technology Innovation at the Foundation for Defense for Democracies. “While this explosive device is an extreme outcome, it’s easy to envision malicious cyber payloads being inserted in hardware or software for later activation.”
Chilukuri suggested that this tactic could advance Washington’s initiative for domestic technology production as the Biden administration aims to lessen reliance on foreign adversaries like China.
Gold Apollo, a Taiwanese company, legally licensed its products to B.A.C., with founder and President Hsu Ching-kuang sharing insights outside their headquarters in New Taipei regarding their production capabilities. Gold Apollo is recognized for manufacturing various devices, including pagers that operate without internet connectivity.
Previously, Gold Apollo highlighted its role as a significant supplier to the European and U.S. markets, including clients like intelligence agencies and emergency services. However, the future direction for both the industry and intelligence agencies remains uncertain.
"It's truly amazing how little the technology buyers know about what exists either from a software perspective or from a hardware perspective,” remarked Bardenstein. “Are all the little sensors and cameras or processing components what they say they are?"
Daniella Cheslow contributed to this report.
Mark B Thomas contributed to this report for TROIB News