I’ll try and keep this concise, so cliff notes for what happened:
Incident
On the 17/09, pagers started exploding across southern Lebanon. Hezbullah typically used these pagers to transmit one-way status updates, warnings of inbound strikes etc. to their soldiers and people in the community, and it was the specific brand and model Hezbullah preferred that were exploding. Roughly 3,000 people were hospitalised and 10 killed outright which flooded the Lebanese hospital system, prompting medical resources to be transferred from friendly countries such as Iran and Iraq.
Two days later, other devices began exploding as well, primarily portable ICOM-branded radios but there were also reports of various other items such as clock radios, portable solar chargers, remote access keypads and other personal electronics. This wave of explosions was smaller but more lethal – roughly 400 reported injured and another 10 or so killed.
Cause
The initial news reports, mostly citing anonymous US/israeli sources claimed that it was a cyberattack and that the israeli intelligence services had found a way to remotely detonate the lithium cells inside the pagers. This was obviously not true given the videos of explosions – they were high explosives, there were no major fires and no characteristic vapor/smoke, as well as the explosions themselves being too violent and consistent.
It was later leaked by the Lebanese investigation team (and ‘confirmed’ by anonymous israeli intelligence sources) that the pagers had been tampered with to contain around 20g of PETN explosive compound, and that the batteries had been shorted and overheated in order to detonate the PETN charge.
Attack Vector
Initially I assumed that the pagers themselves had their firmwares hacked to detonate upon receiving a certain code, but the later explosions in other devices makes this seem less likely.
The most likely attack vector is some kind of modular bomb built into the lithium cell – the attacker could remove the battery from the casing, put a smaller battery and triggering system (likely a small radio antenna that shorts the battery when receiving a specific frequency, as space would be too limited for decoding chips or anything like that) in the casing and fill the remainder of the void with PETN. With this kind of device an attacker could replace the lithium cell in any portable device with a hidden bomb without having to worry about software/firmware/circuitry in the device itself.
Supply Chain Attack
Before the second wave of attacks, analysis was focused on the pagers themselves – they were the AP-924 model manufactured by the APOLLO GOLD company in Taiwan, a model that was popular in the 2000s and still in use by hospitals and other critical centres that wanted a way to keep contact with staff if cellular networks failed.
APOLLO is now under investigation by the Taiwanese authorities and has released several statements relating to the AP-924 – specifically that they no longer manufacture the device themselves, and that they’ve licensed the design to a Hungarian consultancy firm, and the design has been changed since it was transferred.
The consultancy firm, BAC Consulting, appears to be some kind of front organisation as it only has one registered employee (a woman who appears to have had her identity stolen, as she published several academic papers on hydroelectric cells in the mid-2000s before re-emerging as a generic NGO volunteer in the 20202s), a website (now deleted) that says nothing about what the company does or any kind of manufacturing capability and annual cash inflows of $500,000+ since 2022. It stands to reason that this company or its subsidiaries were set up explicitly for this kind of sabotage.
As an aside, there are also reports that the manufacturer would not ship the batch of pagers directly to Lebanon, instead sending to Jordan where it was held by customs before being transferred on – leading to speculation that they could’ve been tampered with there.
HANDALA Hacks
A pro-Palestinian hacker group calling itself HANDALA claims to have hacked several israeli companies involved with this attack and will release evidence ‘in a matter of hours’.
They claim that the battery bombs were developed by Israeli Industrial Batteries in conjunction with Unit 8200, israel’s famed SIGINT/Electronic Warfare unit. According to them the explosive batteries were manufactured in israel, then shipped to Europe (specifically to the manufacturing plant affiliated with the aforementioned BAC) and implanted in the pagers and potentially other devices meant to be delivered to Lebanon (indicating that the sabotage was performed at the site of manufacture, not in customs in a transit country).
This, however calls into question how the Mossad was able to transfer large amounts of explosive into the EU and out again after assembly.
The answer to that question is that Vidisco is another israeli state-adjacent company that works with Unit 8200. Vidisco manufactures around 80% of the X-ray and contraband detection hardware used in western airports and seaports, and apparently maintain backdoors that allow israeli state operations to simply silence detection on shipments they want to keep secret.
HANDALA claim to have around 20TB of data stolen from the two companies to prove their claims; we’ll see if they’re able to deliver.
