fbpx

Are the Pager Attacks in Lebanon a New Step Towards De-Globalization?

Published on 23.09.2024
Reading time: 6 minutes

If the pager operation doesn’t redefine the traditional concept of a supply chain attack or introduce a new variation, it has certainly raised terrifying questions that were seldom considered before. It has also potentially marked a turning point in public trust regarding electronic devices.

The shock has not yet worn off for the Lebanese public and observers around the world following the events of September 17. In an instant, more than 4,000 pager devices, four decades old and long obsolete in the world of telecommunications, were turned into time bombs in the hands of over 4,000 Hezbollah operatives. The blasts claimed the lives of more than thirty people and left thousands injured, including civilians and children.

The dust of rumors and speculation surrounding the incident has yet to settle, as neither Hezbollah nor Israel—or any independent authority—has confirmed or denied the two prominent theories explaining the explosions. One theory posits that the devices were infected with malicious software that caused their batteries to overheat and explode simultaneously, while the other suggests that explosive charges were planted and remotely detonated.

What is certain thus far is that the explosive devices were part of a shipment of pagers ordered by Hezbollah from Golden Apollo, a Taiwanese company. The company’s CEO was quick to distance himself from the accusations, stating that Golden Apollo did not manufacture the devices in question. Instead, they were made by BAC, a Hungarian company based in Budapest. BAC’s president also denied any involvement, telling NBC News: “I don’t manufacture pagers. I’m just a broker for Golden Apollo. I believe you’ve got the wrong party.” Later, The New York Times revealed that the Hungarian company, along with two other shell companies, was part of an Israeli intelligence operation that had been in the works for over two years.

Regardless of who planted the software or explosive charges, what occurred was a supply chain attack in its most traditional sense—an attack on a trusted third-party supplier, in this case, Golden Apollo, which provides vital products or services to a supply chain. While modern supply chain attacks typically involve injecting malicious code into software to compromise all its users, traditional supply chain attacks involve compromising physical components to achieve the same goal. That is what happened here.

In recent years, supply chain attacks have moved from the margins of concern to the forefront. According to Verizon’s 2024 Data Breach Investigations Report, the use of vulnerabilities to initiate breaches increased by 180 percent in 2023 compared to 2022. Of these breaches, 15 percent involved a third party or intermediary supplier, such as a software supply chain, hosting partner infrastructure, or data custodians.

A key detail to note is that the consequences of supply chain attacks are often long-lasting and not easily detected, whether from a technical threat perspective or in terms of accountability for the perpetrator. For example, in October 2023, nearly three years after the infamous SolarWinds breach, which impacted over 18,000 U.S. organizations, the Securities and Exchange Commission charged SolarWinds with misleading investors about its cybersecurity practices and risks. This charge followed a $26 million settlement of a class-action lawsuit related to the breach.

Meanwhile, questions like “Did all the pagers explode?” and “Are there more booby-trapped devices out there?” remain unanswered.

A Locked-Down World

If the pager operation doesn’t redefine the traditional concept of a supply chain attack or introduce a new variation, it has certainly raised terrifying questions that were seldom considered before. It has also potentially marked a turning point in public trust regarding electronic devices. One can easily observe this by looking at social media posts from people in Lebanon and Syria, where individuals are questioning whether they should disconnect devices like solar batteries and TV remotes.

Another alarming aspect of the pager attacks is that they involve meddling in the supply chain not for a specific act of sabotage, but to carry out a widespread, distributed attack. What’s new is that, unlike the focus of cybersecurity experts on non-state actors, this attack appears to have been state-sponsored. In the coming days, this will likely prompt public discussions about the control over supply chains and the strategic independence of digital assets and sovereignty.

Whether the booby-trapping occurred during the manufacturing process by the Hungarian intermediary company, during transport, or at the system operator level before the devices were assigned to Hezbollah operatives, it will push technology manufacturers and importers to be increasingly concerned about vulnerabilities along the supply chain. The ability to turn everyday consumer products into lethal weapons could prompt even greater operational security challenges and lead to increased complexity, costs, and a retreat toward relying on “trusted” parties, which are becoming harder to identify.

Regardless of how the devices were tampered with, these attacks could accelerate the adoption of policies already embraced by many manufacturing countries that advocate for producing technology domestically to maintain stricter control over supply chain security. This applies to everything from smartphones to drones to social media apps. A prime example of this is the CHIPS Act, a U.S. federal law passed by Congress and signed by President Joe Biden, allocating $280 billion to fund domestic semiconductor research and manufacturing to “boost U.S. supply chain resilience” in the ongoing tech war with China.

This tech cold war began explicitly during the presidency of former President and current candidate Donald Trump, through his campaign against the Chinese tech giant Huawei, which he blacklisted and threatened to penalize anyone using its infrastructure at any stage of U.S. product manufacturing. Meanwhile, in the European Union, commercial barriers are gradually being built, with foreign companies being required to manufacture their goods within EU borders. This includes even U.S. tech giants, who are facing pressure to build more data centers in Europe.

The pager explosions among Hezbollah operatives and Iranian diplomats are likely to accelerate a trend that U.S. adversaries have been pursuing for years: decoupling from global technology. The most well-known example is China, which has, since 1990, controlled the flow of information between the global internet and its domestic cyber network through its “Great Firewall.” This limits domestic access to select foreign websites. Russia and Iran have taken notes from China and gone a step further by creating local, internal networks that can be cut off from the global internet if necessary.

Iran’s National Information Network is now fully operational, with the state trying to force internet users to develop Iranian alternatives to Western apps on the domestic Iranian network rather than the global web. Russia has done the same with President Putin’s signing of the “Sovereign Internet Law” in 2019 and its own internet network, Runet. Russia has used this to mitigate the impact of global sanctions following its 2022 invasion of Ukraine.

A Global Concern?

Following the events in Lebanon, a comprehensive reevaluation of supply chain security is expected, which could drive tech manufacturers, in particular, to tighten their supply chain security protocols. This situation is unprecedented in scope, though familiar in concept, and many companies likely hadn’t taken cross-border production security seriously before. This is particularly true for mid-sized firms that lack the resources of nations to fully prepare for such threats.

It’s not just companies that will feel the effects; the incident is also influencing public perceptions, as seen in the growing calls on social media and some media outlets to reject all things “Western”—from phones to devices to equipment. The “pager” attacks have begun to alter public perceptions of personal electronic devices, shifting them from being seen as entirely safe tools for human comfort to potential instruments of mass destruction, should someone choose to make them so. This undermines the efforts of major companies to assure their customers that their devices are, in fact, safe.

The final aspect relates to global security. Before the September 17 attack, the idea of using personal devices to target a specific group of pre-selected individuals wasn’t part of the global zeitgeist. Israel has now introduced that possibility. If the theory holds that the devices were booby-trapped with explosives before reaching Lebanese soil, it would mean they passed through at least two airports undetected. This could mean a repeat of the post-9/11 world, where new security measures emerged following the World Trade Center attacks.