Middle East pager attacks ignite fear of supply chain warfare

Attacks on militants’ wireless devices in Lebanon and Syria this week are amping up concern about ways in which the global electronics supply chain can be compromised — and the risks for companies operating in adversarial countries.

In the attacks, pagers and other hand-held communications devices linked to members of the Iran-backed Hezbollah militant group exploded, killing at least 32 people and injuring more than 3,000. Israel is reportedly behind the attacks, though it has not claimed responsibility.

Security experts and supply chain analysts said the attacks serve as a model for future adversaries on how to weaponize the complex and often-opaque supply chains for everyday items, which go through a bevy of forms and countries before arriving in stores.

Private sector companies and public officials alike are still taking stock of the policy implications, but it could motivate governments to further restrict the flow of sensitive technology and encourage companies to move more manufacturing back home or to friendly third countries. And it almost certainly will force manufacturers and transport companies to reexamine the security and transparency of their supply chains.

At the center of this operation is Budapest-based company B.A.C. Consulting, which ostensibly operated as a legitimate technology provider but was reportedly a front company covertly controlled by the Israeli government, according to reporting from The New York Times. But whether the devices were tampered with or compromised from the start, even the possibility that explosives could have been inserted during manufacturing or transport could cause companies to reconsider if their supply lines and their facilities are secure.

The attack is likely to “create some degree of panic in the private sector,” said Bill Reinsch, a former Commerce Department official now at the Center for Strategic and International Studies. “This could happen in other places and other sectors as well.”

On Capitol Hill, Rep. Jim Himes (D-Conn.), ranking member of the House Intelligence Committee, also said he expected companies to be reevaluating the security of their global operations.

“It does certainly point to the risks associated with supply chains,” Himes said. “I would imagine there’s a lot of warehouse managers today, and you know, cargo ship owners who are doing a little bit of thinking about the security of their facilities.”

The booby-trapped pagers are believed to have been designed with a trigger mechanism, according to Elijah J. Magnier, a Brussels-based political risk analyst who held conversations with Hezbollah operatives. An error message was then sent to the devices causing a vibration, prompting users to press buttons to silence them — inadvertently setting off the hidden explosives.

B.A.C. Consulting appears to have built credibility by conducting genuine sales of pagers and walkie-talkies to global customers, and the facade of legitimacy was key in securing orders from Hezbollah for communication devices, according to the Times.

International spokesperson for the Hungarian government Zoltán Kovács wrote on X that B.A.C. Consulting had “no manufacturing or operational site in Hungary,” and that the “referenced devices have never been in Hungary.”

But with control over B.A.C.’s operations, Israeli intelligence services were allegedly able to modify the manufacturing process for the specific shipments destined for Hezbollah. Now questions remain about how these altered products were able to pass through international borders and reach their intended recipients in Lebanon and Syria without detection — and exposed glaring vulnerabilities in the current paradigm of technology procurement and manufacturing.

“This is the most extensive, publicly-known physical supply chain attack we’ve ever seen, may even see for a while,” said Dmitri Alperovitch, chair of Washington-based geopolitics think tank Silverado Policy Accelerator and co-founder of cybersecurity firm CrowdStrike. “Obviously there was some really exquisite intelligence that had to lead to the ability to interdict and plant explosives in thousands of devices.”

Daniel Bardenstein, the chief technology officer and co-founder for software supply chain security company Manifest, argued that the attack shows that buyers, whether governments or private entities, must have a clearer understanding of what exactly they’re purchasing and from whom.

“We really need to change this paradigm globally about technology transparency,” said Bardenstein, who also formerly served as the chief of technology strategy at the Cybersecurity and Infrastructure Security Agency.

Other theories from some familiar with the Israeli military’s operations are that the pagers could have been compromised anywhere along the chain of supply.

“It can be on a ship, it can be in a factory. When you follow how the logistics go, it doesn’t necessarily need to be in the factory itself,” said retired Israeli Brig. Gen. Amir Avivi, the founder and chair of the hawkish Israel Defense and Security Forum.

The covert operation triggered widespread distrust and paranoia of electronic devices across Lebanon, a sign of the wider impact such an attack can have.

“If this pattern continues, it’s not going to be good for consumers. It’s not going to be good for businesses and it’s not going to be good for governments, who cannot possibly screen all these complex supply chains to ensure that they’re secure,” added Vivek Chilukuri, a senior fellow and program director of the Technology and National Security Program at the Center for a New American Security.

The revelation of Israel’s operation against Hezbollah is also casting a harsh spotlight in Washington on the risks that come with relying on hardware and software originating from potential adversaries such as China — the world’s most dominant manufacturer.

“This incident is very unique, but it highlights the vulnerabilities that the U.S. and its allies accept by having so many of their hardware and software supply chains emanating from countries of concern, particularly China,” said Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense for Democracies. “While this explosive device is an extreme outcome, it’s easy to envision malicious cyber payloads being inserted in hardware or software for later activation.”

Chilukuri argued the tactic could move forward Washington’s push for domestically produced technology as the Biden administration seeks to decrease reliance on foreign adversaries such as China.

The B.A.C. was legally licensed to use products with Taiwanese company Gold Apollo, founder and President Hsu Ching-kuang told reporters outside company headquarters in New Taipei. Gold Apollo is known for making a wide range of devices including pagers, which can send messages without an internet connection.

The company previously touted its position as a significant supplier of pagers and walkie-talkies in Europe and the United States, which included intelligence agencies and emergency services among its buyers. But the exact course of action for industry — and intelligence agencies for that matter — remains elusive.

“It’s truly amazing how little the technology buyers know about what exists either from a software perspective or from a hardware perspective,” Bardenstein said. “Are all the little sensors and cameras or processing components what they say they are?”

Daniella Cheslow contributed to this report.