Several explosions occurred in pagers carried by adults and children in Lebanon on Tuesday; this was followed by explosions, of an almost equal intensity, in walkie-talkies held by members of Hezbollah.
Those in the field quickly connected it to Israel’s Mossad, and for good reason. They also concluded that a large-scale cyber attack was underway. But before we come to that, it is important to take an objective look at the facts that have come to light so far.
The following has been pieced together by this writer using Open Source Intelligence (OSINT), including continuous updates on dark web forums by contributors based in both Lebanon and Israel, who choose to remain anonymous, but the depth of their information speaks for itself.
The pagers that exploded were AR-924 models manufactured by a Hungarian firm, BAC Consulting KFT, and sold under a Taiwanese brand name, Apollo Gold. Not much, however, is known about BAC Consulting, including its board of directors. Journalists based in Budapest, Hungary, have managed to find one single name on the internet listed as its director but have not been able to establish contact with them. Nor does this person appear to have any other professional history.
The next fact is a few ounces of explosives were hidden in the 5,000 pagers that were ordered by Hezbollah earlier this year. It has also been independently confirmed that the Hezbollah decided to switch to pagers several months ago, to avoid being tracked by their enemies, as well as to ensure connectivity in a region where there are frequent power and mobile tower outages. More than anything, the attack turns the spotlight on a burning issue that we, as a country, have never given much thought to. And that is the concept of supply chain attacks.
At the outset, it needs to be clarified that this writer is fully aware that supply chain attacks are a cybersecurity concept. But, like all cybersecurity concepts, this one is based on real-life possibilities. A supply chain attack basically means that if the enemy can’t get to you directly, they target your supply chain. Consider a major cellular service provider with, theoretically, impeccable cybersecurity. If a malicious hacker is unable to get into its servers, he turns to the supply chain. This chain comprises the numerous associates the company is aligned with – logistics providers, catering services, housekeeping services, and so on. All exchange emails with the company on a regular basis. Hence, all of them are the hacker’s doorways into the cellular service provider’s servers.
The hacker just has to hack into the official emails of one of these services and send a malware-loaded email to the company. As soon as this email is opened, the hacker is in. What happened with Hezbollah was the physical version of this model. Because getting to those many Hezbollah members was impossible, Israel went for their supply chain, and pretty successfully, by the looks of it.
We also need to urgently take note of the fact that this is not Israel’s first rodeo when it comes to remotely wreaking havoc. In 2010, a new worm – a bigger and deadlier version of a virus – named Stuxnet came to light. Stuxnet had been successfully slipped into the machines called Programmable Logic Controllers (PLCs), connected to Iran’s nuclear programme using pen drives that were discreetly inserted. The worm made its way all the way to the centrifuges that enriched uranium for Iran’s nuclear program, and reduced the programme to one-fifth of its capability.
When we talk about cybersecurity, we need to think beyond the traditional idea of computers and smartphones. A PLC is essentially a computer and can be hacked like one, and it is used in numerous crucial industries even today. Just six days ago, on September 12 this year, the Indian Computer Emergency Response Team issued an alert about multiple vulnerabilities in a crucial system manufactured by a leading electric products company.
All of these vulnerabilities are classified as ‘high’ in severity – which is the second most serious after critical – and can be exploited to ‘bypass security restrictions and tamper data on the targeted system’, according to CERT-In’s advisory. The system in question is used in industries such as automotive and eMobility, Cloud and service providers, commercial real estate, data centres and networks, electricity companies, facility management, food and beverages, healthcare, hotels. and life sciences. We are not hearing any alarm bells ringing, though.