Israel's Pager Attack Renews Focus on Supply Chains' Physical Security

(ANWAR AMRO/AFP via Getty Images)

A man in Beirut, Lebanon, holds a walkie-talkie after removing its battery on Sept. 18, 2024, during a funeral for people killed when hundreds of paging devices exploded across the country the previous day.

Few security services have the intent and capability to replicate Israel's unprecedented attacks against Hezbollah's electronics, but many will find new ways to physically tamper with devices for mass surveillance by exploiting the complexity of global supply chains, especially after devices' final assembly and with the help of insiders. On Sept. 17-18, Israel carried out a series of coordinated attacks targeting Hezbollah members in Lebanon and Syria, killing nearly 40 people and injuring over 3,000 others. Many details of the operation are still unclear, but a wide variety of media reporting indicates Israeli spies set up front companies to produce pagers and two-way radios containing a small amount of explosive material and a remote activation capability; these were then shipped to Hezbollah under the guise of legitimate products from reputable manufacturers. Israel allegedly began shipping the tampered devices in mid-2022, but sped up the deliveries in early 2024 after Hezbollah Secretary-General Hassan Nasrallah ordered the group's members to destroy their cell phones and switch to lower-tech devices believed to be more secure.

According to reporting in The New York Times, at least one Israeli front company used in the operation manufactured legitimate pagers for other customers and at least some of the people involved were unaware they were being controlled by Israeli spies.
According to some media reports, Israel had intended to conduct the attack just before launching a larger operation against Hezbollah, but moved up the timeline after worrying that some Hezbollah operatives were growing suspicious about the devices.
Two of the biggest unknowns about the operation are where the devices were built and how they were shipped to their targets. Taiwan-based Gold Apollo, the firm whose label was on the pagers, has denied building them and instead blamed a Hungary-based firm, BAC Consulting, which held a license to produce them. BAC Consulting, however, appears to be an Israeli front company and has been linked to another suspicious firm, Bulgaria-based Norta Global. But thus far, authorities in both countries say they have no record of either firm actually building or shipping the pagers. It is also unclear how the radios were built and shipped as the Japan-based firm whose logo was on them, Icom, has said it stopped manufacturing them a decade ago.

There are many examples of security services sneaking monitoring equipment and even explosive material into various products, but Israel's operation is unparalleled in scope and scale, in turn putting media scrutiny on global supply chains' physical, rather than digital, vulnerabilities. Throughout history, intelligence and law enforcement agencies have often surreptitiously tampered with various items to eavesdrop. In one of the largest operations, the United States and Germany spied on dozens of foreign governments during the Cold War through a Swiss front company called Crypto AG that sold encryption devices that U.S. and German spies had rigged to easily break the codes. In the digital era, between 2018 and 2021, U.S. and Australian federal law enforcement agencies secretly developed a supposedly secure encrypted messaging app, ANOM, that organized crime groups across the globe used without knowledge that their conversations were fully monitored, leading to hundreds of arrests. Less frequently, security services have also boobytrapped specific devices to cause harm. Israeli spies have carried out such operations multiple times, perhaps most famously in 1996 when they killed a Hamas bombmaker by coordinating a plan to put explosives inside a cell phone that blew up when he answered a call. More recently, in September 2023, Ukraine's security services were accused of severely injuring a Russian general in an attempted assassination via a bomb-rigged cell phone. However, none of these or similar operations came close to Israel's Sept. 17-18 attacks in which its spies reportedly tampered with 5,000 devices and, in the span of just a few minutes on each day, carried out the brazen coordinated attacks that caused mass casualties and significantly disrupted Hezbollah's communications. The attacks were also distinctive in that they put intense media attention on the physical vulnerabilities of global supply chains, whereas in recent years, most countries — especially in the West with respect to China — have been more concerned about cyber vulnerabilities, such as secret ''backdoors,'' as many goods from housewares to vehicles have become digitally connected.

Alongside the rise of digital networks in the past decades, acts of cyber sabotage have also increased. While there are many examples of threat actors probing the networks of critical infrastructure to find vulnerabilities, there are far fewer examples of them carrying out cyberattacks that cause physical disruptions in the real world. At least twice in 2015 and 2016, Russian state-backed hackers disrupted Ukraine's electricity grid, leading to hours-long blackouts during cold winter temperatures. More famously, the United States and Israel oversaw an operation that sabotaged approximately one-fifth of Iran's nuclear centrifuges by infecting linked computers, in an operation that came to light in 2010.

Most security services would be unable or unwilling to carry out anything close to a comparable operation to cause physical harm, at least outside a war context. Overall, the Israeli operation required a level of pre-planning and sophistication that is beyond the reach of most intelligence services. Among other things, Israeli spies needed to penetrate Hezbollah's communications in the first place, set up seemingly multiple front companies, create various layers of deniability among intelligence officers and their unwitting assets, manufacture the tampered items, and then monitor Hezbollah operatives to know if they grew suspicious — all for, reportedly, at least two years without being discovered. There are not many intelligence services with the necessary geographic reach, specialized personnel, operational security and sheer creativity to pull off such a feat and, of those that could, there are probably even fewer willing to take the risk. For instance, ABC News, citing an unnamed U.S. intelligence source, has reported that the Central Intelligence Agency (CIA) has resisted carrying out a similar operation because it assessed the risk to innocent people would be too high; most other Western spy agencies, which in general are even more risk-averse than the CIA, would likely also make that assessment. This means there are probably only a small number of countries, such as Russia, which are both willing and able to conduct a similar attack. But even then, such an operation involves a ''use it or lose it'' calculation in that, unlike passive surveillance, detonating devices can only be done once before the target wises up and adjusts security protocols. While Israel was not in a full-scale conflict with Hezbollah at the time of the attacks and appears to have detonated the devices before it originally planned, it has been exchanging cross-border attacks with Hezbollah almost daily for nearly a year and is trending toward a wider conflict with the group. This illustrates that, for the few countries with both the intent and capability to plot such an operation, actually carrying it out would probably only make sense as the opening salvo of a war to paralyze the target, or when already engaged in combat. Even then, the impact of a similar attack would depend significantly on the target; after all, as hard as it was for Israel to do this against Hezbollah, it would be even harder to do something at a similar scale against a larger nation-state with much more resiliency to its communications.

Just before its invasion of Ukraine in February 2022, Russia carried out a number of cyberattacks to disrupt Ukrainian forces' communications, including two coordinated attacks that crippled Ukraine's satellite communications. Similarly, a potential future Chinese invasion of Taiwan is likely to involve numerous acts of physical and cyber sabotage to inhibit communications and otherwise cause chaos to soften up defenses.

By comparison, a much longer list of intelligence services and other threat actors are more likely to find new ways to physically tamper with electronic devices and emerging technologies for mass surveillance. Compared with mass sabotage that causes physical harm, many more spy agencies are more capable and incentivized to employ new methods for large surveillance operations. By definition, intelligence services need to collect information, which means they are constantly looking for novel ways to monitor targets and generally have few qualms about mass surveillance of adversaries. Moreover, unlike a sabotage attack that leads to mass casualties, widespread surveillance is generally easier to carry out, meaning far more countries are capable of doing so. For instance, there is already a major consumer market for surveillance devices that can be hidden inside various everyday items, and better-resourced security services can use even more impressive capabilities to implant less detectable and more powerful listening devices into an even wider array of items. Moreover, spies from many countries will seek to take advantage of emerging technologies like the Internet of Things (IoT) devices, unmanned systems, artificial intelligence, biometrics and quantum computing by infiltrating the supply chains for devices associated with these technologies. While more sophisticated security services will present the greatest threat, even less well-resourced agencies will likely be able to take advantage of what are in many cases globally diffuse supply chains that can be infiltrated in various ways, especially as emerging technologies mature and geographically proliferate. In addition to intelligence agencies, some more sophisticated criminal groups interested in carrying out espionage for financial gain, such as drug cartels and organized crime syndicates, may also be willing and able to penetrate devices.

On Sept. 23, the U.S. Department of Commerce proposed banning certain Chinese and Russian components, both software and hardware, inside connected vehicles sold in the United States, illustrating how some countries are already taking proactive steps to mitigate fears of supply chain infiltration. The United States worries that adversarial countries could collect vital data on U.S. drivers and infrastructure, or even remotely disable vehicles.

Even if threat actors do not engage in a large-scale operation, many electronics' globally dispersed supply chains leave vulnerabilities that could be exploited for more targeted operations, especially after devices' final assembly and with the help of insiders. Israel's operation was most notable not necessarily for its novelty, but for its unprecedented scope and scale. There are likely only a few security services willing and able to pull off a similar feat of seemingly manufacturing devices under the guise of legitimate firms, and even fewer willing to do so when their countries are not actively at war. However, the intricacy of many supply chains that stretch across the globe creates multiple points at which an intelligence service or other threat actor could infiltrate to sabotage devices in a more targeted fashion. Even basic electronics like laptops and televisions (which are probably more vulnerable because their often larger sizes offer more space to surreptitiously implant a listening device or explosive material) typically have supply chains that span the globe, ranging from the sourcing of various inputs and the manufacturing of the finished goods to the final delivery of the devices. More advanced electronics, like semiconductors, often have even more steps along the way that in theory make them even more vulnerable, though high-tech devices are also probably more difficult to tamper with given that they have even less physical space to insert surveillance equipment, let alone explosive material, without noticeably harming their functionality. This means that, in general, tampering with devices would be easiest once they have already been manufactured rather than trying to secretly sabotage inputs before they were assembled, given the risk that quality controls would discover the breach. However, this still leaves many points for potential infiltration between then and final delivery — a span of time that typically involves multiple logistics partners, which are often third parties that may, in turn, further subcontract to others. Moreover, even if many countries try to accelerate so-called ''nearshoring'' and ''friendshoring'' efforts to curb these threats, such efforts will by no means make them immune and at best only somewhat mitigate them. After all, the volume of goods transported across borders is many orders of magnitude higher than governments' abilities and political will (given the economic cost) to thoroughly inspect more than a small percentage of items. Plus, even with both economic incentives and political pressure to move supply chains out of seemingly higher-risk locations, much lower costs in many developing countries mean there is only so much that governments can do to insulate supply chains for many products. Finally, there will always be lingering threats from insiders who are either willing (for money, ideology or another purpose) or coerced (via physical threats, blackmail or otherwise) to facilitate a third party's ability to infiltrate somewhere along the supply chain. These could range from truck drivers taking goods from a manufacturing facility, customs agents inspecting shipments at a port of entry, or warehouse workers organizing goods before their final delivery.

The greater likelihood that tampered devices are discovered pre-assembly helps explain why Israel's operation, though necessitating much greater upfront resources, was more likely to succeed compared with one in which spies tried to tamper with device components prior to assembly, which would result in more opportunities for detection.
In 2014, documents leaked by former U.S. National Security Agency contractor Edward Snowden revealed that the agency operated a secret warehouse where employees placed surveillance devices into Cisco products that had been covertly intercepted before sending the products on to their unsuspecting foreign customers.