Digital Conflicts is a bi-weekly briefing on the intersections of digital culture, AI, cybersecurity, digital rights, data privacy, and tech policy with a European focus.

Brought to you with journalistic integrity by Guerre di Rete, in partnership with the University of Bologna's Centre for Digital Ethics.

New to Digital Conflicts? Subscribe for free to receive it by email every two weeks.

N.14 - 24 September 2024
Author: Carola Frediani and Andrea Daniele Signorelli

In this issue:

• Exploded Pagers: a Reconstruction of Events

What follows is still a tentative, partial, slippery outline to help form a first idea for further investigation. No one here has explanations or solutions at hand, and anyone who claims otherwise is lying (unless they are one of the perpetrators, in which case other caveats would apply).

For this reason, I have limited my comments as much as possible and linked to the various sources I have collected. I've left out the political and legal implications for lack of space, but I may return to them in the future.

For now, the priority is to report the facts. [Carola Frediani]

The explosions

On the morning of September 17, thousands of pagers exploded in Lebanon and Syria. These were the devices used by Hezbollah, the Shiite militia that intervened in the conflict between Israel and Hamas after October 7. The group had ordered its members to abandon cell phones for fear they could be tracked or intercepted by Israel, and instead rely on a technology considered less traceable and less likely to become a target for assassination. In a televised speech more than six months ago, Secretary General Hassan Nasrallah urged Hezbollah members and their families in southern Lebanon to give up their cell phones. “Shut it off, bury it, put it in an iron chest and lock it up”, he said in a speech in February. “Do it for the sake of security and to protect the blood and dignity of people”.

On Thursday, after the explosions, Nasrallah said that Hezbollah's leadership still had old pagers, while the newer ones used in the attack had been delivered in the past six months. The group has launched an investigation into the blasts. "The enemy knew that the pager devices numbered 4,000", he added.

According to Lebanese security sources interviewed by CNN, Hezbollah purchased the pagers months ago, and on September 17, these devices exploded simultaneously after receiving a message (after ringing, according to Lebanese sources). A New York Times article quoted American officials as saying that Israel had placed explosive charges next to the battery of each pager, along with a detonation mechanism. Most of the pagers were reportedly Gold Apollo AR-924 models, but three other models were also included in the shipment (more details below).

The explosions initially caused more than 12 deaths (including two children) and more than 2,800 injuries (according to Lebanese sources, with the number rising), including the Iranian ambassador to Beirut (who claims not to have had a pager, but was near one and is now severely injured in the eyes). Panic spread, not only among Hezbollah militants: doctors at the American University of Beirut Medical Center were told to throw away their pagers, according to The Economist.

According to CNN, the attack was a joint operation by Mossad, Israel's intelligence agency, and the military. Israel refused to comment publicly on the blasts, although Israel's defense minister later said a "new era" of warfare was beginning, "tacitly acknowledging its role in shock twin attacks", CNN reported.

On September 18, an unspecified number of walkie-talkies also exploded in Lebanon (photos of an exploded walkie-talkie were published), initially causing several deaths and hundreds of injuries (the current toll is 25 dead and 600 injured, according to Lebanese sources cited by various media). In addition to the walkie-talkies, other devices were mentioned, but the information about them remains even more vague and confusing. "There are reports of several different devices blowing up", Al Jazeera wrote. "Chief among them are walkie-talkie radios, but there was also mention of mobile phones, laptops and even some solar energy systems. Several cars reportedly exploded as well, but it is not clear if those were caused by the car itself exploding or something inside it".

As for the walkie-talkies, images of the exploded devices showed labels with the name of the Japanese company ICOM, and they resembled the company's IC-V82 model. On Thursday, ICOM said that it was investigating the matter and could not confirm whether it had shipped the devices, in part because that model was discontinued 10 years ago.

The Flow of News

Before diving into some of the more confusing aspects of the story, let's recap the timeline and flow of news on September 17.

It's around noon GMT (3 p.m. in Lebanon) when the first reports emerge that Israel's internal security service (Shin Bet) had foiled a plot by a Lebanese armed group to assassinate a former senior defense official, and that the plan was to use explosives and a cell phone.

About an hour later, the first reports came from Lebanon that Hezbollah members had been injured by the explosions of their pagers. Another hour passes, and the Lebanese Ministry of Health issues an urgent statement saying that “large number of people with various injuries are arriving at Lebanese hospitals, and it has been initially determined that the injuries are related to the explosion of wireless devices that were in the possession of the injured”.

As a result, the Department urged all hospitals to be on high alert and increase their level of preparedness to respond to the emergency. It also advises all citizens who have wireless communication devices to stay away from them until further clarity is provided on the incident. In addition, the Department notes that most of the injuries are "to the face, especially the eyes, or to the hands or abdomen”.

Who Manufactured the Pagers

From the first images of the destroyed pagers, it was determined that they could have been made by Gold Apollo, a manufacturer based in Taiwan. A few hours later, however, Gold Apollo's founder, Hsu Ching-kuang, stated that the company did not manufacture the pagers used in the Lebanon explosions. Instead, they came from a European company, Bac Consulting KFT (based in Budapest), which had the right to use the Taiwanese company's trademark. In fact, "regarding the AR-924 pager model mentioned in the recent media reports [about Lebanon], we clarify that this model is produced and sold by BAC”, said Hsu Ching-kuang, adding that business relations between his company and Bac began three years ago and describing the Hungarian company's money transfers as "strange".

Bac Consulting had paid Gold Apollo from a Middle Eastern bank account that had been blocked at least once by Gold Apollo's Taiwanese bank, Hsu said.

The Hungarian Connection

Corporate records at the Hungarian Ministry of Justice show that Bac Consulting was registered as a company in May 2022, CBS News writes, with a CEO named Cristiana Barsony-Arcidiacono.

According to CBS, Barsony-Arcidiacono had also registered another company in her name in France in 2015, "specializing in business consulting and other activities", which was dissolved in 2016.

DW journalists visited Bac's official address in Budapest, but did not meet or see any employees. No one answered the door. An A4 sheet of paper with the name "Bac" printed on it was reportedly the only visible sign of the company. Residents of the building told DW that they were unaware of such a company and rarely saw mail sent to the address. According to data analyzed by DW, Bac Consulting recorded a net profit of 46,400 euros in 2023, on revenues of 546,000 euros.

The Hungarian government confirmed that Bac is a commercial intermediary with no production or operating facilities in Hungary. It has only one registered manager at the declared address, and the equipment mentioned has never been in Hungary. Meanwhile, Barsony-Arcidiacono's mother, contacted by AP in Sicily, said Friday that her daughter is now under the protection of Hungarian services. The government in Budapest hasn't confirmed.

The Bulgarian (and Norwegian) Connection

Just hours later, the Bulgarian connection also surfaced. It was brought to light by the Hungarian outlet Telex, which reported that Bac Consulting was merely an intermediary in the transaction. It claimed that Bac's CEO, Cristiana Barsony-Arcidiacono, had been dealing with a Bulgarian company, Norta Global Ltd, based in Sofia. "Although on paper it was BAC Consulting that signed the contract with Gold Apollo, Norta Global Ltd. was actually the one behind the deal. According to our information, it was the Bulgarian company, not BAC Consulting, that imported the pagers from Taiwan, and the Bulgarian company was also the one that arranged the delivery of the equipment, and sold it to Hezbollah", Telex writes.

According to documents reviewed by CBS News, Norta Global Ltd was registered as a company in Bulgaria in April 2022, with its sole owner being a Norwegian citizen named Rinson Jose. On its website - which is now offline - Norta Global Ltd was described as a company offering a range of services, from outsourcing to consulting, technology integration, payments and the processing of significant business transactions.

But who is Rinson Jose? The question sparked interest in the Indian media, because the Norwegian has roots in Kerala. The Indian publication Onmanorama profiled Jose, saying he was from the Wayanad district, a former seminarian, the son of a tailor, and later studied business administration. The newspaper also reported that it had contacted his family (in India), who said he was now in the US.

“Jose has a profile on Founders Nation, an Israeli business networking website, that lists multiple organizations with connections, either now or in the past, to the Israel Defense Forces as official partners", writes The Washington Post, adding that on Tuesday, the man was supposed to fly to Boston to attend a technology conference, but did not show up. Since then, his whereabouts have been unknown.

In any case, 1.6 million euros allegedly passed from the Bulgarian company Norta Global, owned by the Norwegian-Indian Rinson Jose, to the Hungarian company Bac, registered under Cristiana Barsony-Arcidiacono. Bac then outsourced the production and sale of the pagers to the Taiwanese company Gold Apollo, according to the Lebanese television station LBC.

An Elaborate Intelligence Project

Let's pause the reporting and move on to the analysis (preliminary, shaky, and to be taken with a grain of salt, like any analysis at this stage, in the face of such a complex and still unclear event).

Current and former U.S. and Israeli intelligence officials interviewed by the Washington Post painted the following picture. The explosions of the pagers (and later walkie-talkies and perhaps other devices) represented the culmination of a multiyear investment in penetrating Hezbollah's communications, logistics and supply structures. Long before the pagers were packed with explosives, some officials said, Israel's Mossad foreign intelligence agency and other services had developed a detailed understanding of "what Hezbollah needs, what are its gaps, which shell companies it works with, where they are, who are the contacts".

After mapping these networks, it was necessary to create an infrastructure of shell companies, where one sells to another, which sells to another, all to maneuver closer to Hezbollah's procurement agents, who rely on shell companies.

According to intelligence sources interviewed by ABC News, the operation was conceived 15 years ago, and the planning of the attack involved shell companies, with multiple layers of Israeli intelligence officers and assets providing cover for a legitimate company that manufactured the pagers. However, at least some of those involved in the operation did not know who they were actually working for.

"There’s a lot of front companies and cutouts and fake personas", Gavin Wilde, a former White House official and cybersecurity expert at the Carnegie Endowment for International Peace, told the Washington Post. "If there really are folks who were truly patsies, they’re going to have to live in fear the rest of their lives because [even if they were unaware of the plot] Hezbollah isn’t going to believe that".

Technical Analysis

But what kind of operation are we talking about? It appears to be a "supply chain interdiction" operation. Simply put, the crux of the attack lies in physically accessing and manipulating hardware devices and then controlling the supply. It is therefore primarily a traditional intelligence operation before it is anything else.

"The most obvious explanation is that a tiny quantity of explosive material was concealed inside the pagers. The devices would have exploded on receipt of a coded message. This is similar to a device initiated by mobile phone, but on a much smaller scale, and far more difficult to detect. For decades, armies have used sabotage tactics with varying amounts of explosives to disrupt supply chains, usually targeting insurgencies", British military explosives experts told the NGO AOAV.org.

Secretly attacking the supply chain is not a new technique in military and intelligence operations. For example, the U.S. National Security Agency has intercepted hardware and computers destined for foreign customers, inserted malware or other surveillance tools, and then repackaged them for delivery to specific foreign buyers, according to internal NSA documents from 2010.

Moreover, the creation or subsequent control of companies that manufacture or trade in communications equipment was immediately reminiscent of the multi-year CIA and German intelligence operation to manufacture and sell "backdoored" encryption machines.

However, what many observers say distinguishes this operation is the use of these well-established intelligence techniques to plant explosives (rather than surveillance tools) in communications devices, and to do so on a large scale (rather than in a single targeted killing, as Israel has done in the past). This was done in order to have them explode in unison after presumably succeeding in selling them to the enemy organization.

For some, the operation exemplifies the convergence of the cyber and physical domains (a topic that has been discussed for some time), namely the use of cyber attacks or cyber elements to cause physical harm. At the same time, it also highlights the gradual adoption of asymmetric tactics by states (and not just non-state actors).

How Did They Do It?

The Irish Information Security Forum (IISF) attempted to outline the phases of this attack:

Information Gathering, Infiltration, Planning

This requires knowledge of the targets' secret strategic decisions, purchasing decisions, supply chain networks, infiltration points, collection and transmission of secret information, and procurement of technical teams. It requires many resources typically associated with nation-states.

Insertion/Interception, Tampering or Re-engineering

Pager shipments can be intercepted at some point in the logistics chain. Alternatively, temporary business organizations can be created to handle ad hoc orders. However, the insertion of explosives requires careful design to ensure that the replaced or manufactured additional components are integrated without altering the appearance or basic functionality of the pagers.

Remote Activation

By their nature, pagers are designed to allow remote activation mechanisms such as test alarms, emergency transmission alarms, etc. This mechanism could use secure communication channels, possibly using satellite in combination with existing radio frequency networks. The synchronization of explosions in multiple locations indicates a high degree of coordination and real-time control.

Cyber Exploitation

Attackers would also need to "exploit vulnerabilities in the device's firmware, usage method, or communication protocols".

In addition, executing such an attack would present several technical challenges:

Miniaturization of Explosives

Integrating explosives into the device requires detailed engineering knowledge of both the electronics and the explosive components.

Secure Communication

Attackers must find a reliable and secure method to remotely trigger the detonation mechanism. This could be done by exploiting normal operating modes in combination with compromised firmware or other communication channels.

Synchronization

Coordinating the simultaneous detonation of thousands of pagers would require precise synchronization mechanisms. This could potentially be achieved with a centralized control system capable of sending activation signals to all modified devices at exactly the same time. Here ends the IISF's consideration, to which I refer for more technical details.

Why Pagers?

Pagers (beepers) leave a small electronic footprint compared to cell phones, making them less vulnerable to hacking, surveillance and location tracking. They are also easy to use, have battery life that lasts for days, and can receive messages without relying on the Internet or cellular networks.

“The Gold Apollo pagers can receive messages at a frequency of 450 to 470 megahertz", writes NBC. "The AR-924 model is alphanumeric, meaning it can send messages containing both numbers and letters. Like many other pagers, the AR-924 is a one-way device, meaning it is unable to send messages and instead only receives them".

"The idea is that the pager is always listening and has a unique address", explains to Digital Conflicts a cybersecurity expert who prefers to remain anonymous. "When you send a message to it (on a shared frequency, so you probably have a maximum number of simultaneous messages you can send per second for each frequency), it activates, beeps, decodes/decrypts the message, and sends it to you. Often these devices or protocols support broadcast messages. With a signal on the right frequency, at the right power, with the right encoding, you send a nice broadcast message (like an alert) that reaches all the pagers that pick up your radio signal. Now, just as the pager's processor/microcontroller decodes and displays the message and sends a signal to the ringtone buzzer, it can send a similar signal to a bomb if the message contains a predefined sequence. Of course, it's important that the sequence is long enough and random enough that no one accidentally sends the message too early. Perhaps it exploits a protocol violation. Of course, this is just speculation. We can only be more precise with more details".

According to Lebanese sources gathered by Reuters, the explosive used in the pagers was PETN. The NYT also says it was PETN. Cryptomuseum has collected all the technical specifications of the AR-924 on a very useful page.