2024-09-19
Supply Chain Attack Theorized in Hezbollah Device Explosions
At 3:30pm on September 17, thousands of pagers exploded simultaneously in Lebanon and Syria, killing 12 and injuring over 2800. The following day, 20 more deaths and over 450 injuries resulted from a second wave of explosions, this time from walkie-talkies. Lebanese officials attribute the attacks to Israeli military intelligence; experts have theorized that the devices - purchased by Hezbollah in a recent initiative to protect communications by using older technology - were intercepted in the supply chain and modified. Analysis suggests the explosions were not consistent with induced battery malfunction, but more likely involved detonation of embedded explosives.
Editor's Note
Obviously, launching a physical supply compromise like this one takes a very sophisticated threat actor and long planning. Mailing explosive devices or poisoned/compromised USB sticks (or having them delivered) to key employees at your company does not. Use the publicity around this one to make sure mailroom security still exists and extends to how supplies are delivered to remote employees and board members Ð USPS Pub 166 (https://about.usps.com/publications/pub166.pdf) is a good starting point.
John Pescatore
Supply chain attacks are difficult to detect and defeat. Although this one had a kinetic component, the same principle applies for software supply chain attacks Ð deny use or compromise communication of the device. As with most everything, supply chain attacks have a shelf-life before they are discovered or used.
Curtis Dukes
It's not clear if the hardware was manipulated at the third-party manufacturer, or in transit to distribution center. What we can do is make sure that we've verified the integrity of our devices when received, to include the distribution channel, and make sure that our issuance process is secure, particularly when sending devices to remote workers or locations. When purchasing through a third-party, or low-bidder, VAR/DSB/etc., make sure you've had a conversation with them about supply chain security, and you understand and accept the risk of their processes. Even so, trust but verify. This is also a lesson in contingency planning. They moved from cell phones to pagers/walkie-talkies due to risk of compromise, what's plan C? RFC 1149 (IP over Avian Carriers)? Messengers with notes? Always have a plan C, D, E ready to go.
Lee Neely
This attack exploited the target population's need for secure communication among its members and the attacker's total disregard for collateral damage. The conditions for its success are rare and the lessons so stark that it is not likely to be copied. The lessons include that the supply chain is long, opaque, and vulnerable.
William Hugh Murray
There are many questions about how the interception happened, how the targeting happened, and why exactly this date was chosen. Now, what about fallout? Well, there will be heightened thoughts and scrutiny over physical devices. It is unclear how this would be done, given how many physical devices we all have, but the actual use case shows others how effective this can be.
Moses Frost
Read more in
Wired: Walkie-Talkies Explode in New Attack on Hezbollah
Wired: First Israel's Exploding Pagers Maimed and Killed. Now Comes the Paranoia
Nextgov: Device detonations reveal 'incredible' intelligence abilities: ex-NSA chief
The Register: Lebanon: At least nine dead, thousands hurt after Hezbollah pagers explode
The Register: Lebanon now hit with deadly walkie-talkie blasts as Israel declares 'new phase' of war
CNN: Walkie-talkies explode in Lebanon day after deadly pager attack