The explosions of Hezbollah members’ pagers and walkie-talkies on September 17 and 18 shocked Lebanon. But the modus operandi of the attack highlights a risk to which companies around the world are exposed. Because everything suggests that Israeli services managed to infiltrate Hezbollah’s supply chain, in order to provide them with booby-trapped pagers. This is known in the sector as a “supply chain attack”.
A striking reminder that supply chain security is no longer a logistical issue but a highly political one. The problem, points out Lewis Sage-Passant, a private sector intelligence professional and lecturer at Sciences Po Paris, is that “companies today have great difficulty in accurately mapping their supply chains.” Using parts manufactured on the other side of the world in different workshops before being sent back to another country has become more commonplace. But to control your supply chain, you don’t just have to control your suppliers. “You also have to know your suppliers’ suppliers,” the expert reminds us. An endless thread.
Computer manufacturers, for example, often have top-notch security and few vulnerabilities to exploit. “But maybe the company that makes a piece of rubber that goes under the computer isn’t as secure,” Sage-Passant says. That’s where attackers can get in.
The explosion of beepers in Lebanon is not the first attack of its kind. Especially since “supply chain attacks” do not systematically aim to destroy the targeted device and can take various forms. “The NSA injected malicious code into hard drives to spy on users, and had monitored European leaders through undersea cables, thanks to a technical diversion,” recalls Pierre Delcher, director of the cybersecurity research team at HarfangLab.
Spies on the production line
During Russia’s invasion of Ukraine, the Viasat satellite communications network also suffered a major cyberattack, blocking the Internet for several hours. The modems supplied by Viasat were apparently sabotaged “months in advance” to allow the attack, continues Pierre Delcher.
The risk that devices from a European company are booby-trapped is “much lower,” observes Lewis Sage-Passant. Not only is this type of operation as costly as it is risky, but companies carry out quality checks to identify any abnormal components. “However, we cannot exclude the possibility that agents have been introduced into certain production lines for espionage operations, particularly to plant microphones,” warns Pierre Delcher.
Supply chain attacks are sometimes very discreet. “Recently, a communications operator’s Internet address resolution systems were compromised, which allowed attackers to distribute malicious updates,” the researcher recalls. Sometimes, only an error by the attacker or chance can allow them to be spotted. Impressive computer attacks have already targeted Western companies. In 2017, one of the most devastating, NotPetya, blocked thousands of computers in Europe and caused losses in turnover estimated at 10 billion dollars.
A report 2023 ANSSI [NDLR : Agence nationale de la sécurité des systèmes d’information] was also alarmed by the increase in the number of attacks against companies in strategic sectors. And the company specializing in cybersecurity SecurityScorecard announced in March 2024, 98% of the 100 largest French companies were working with a supplier that had been the victim of a data leak.
Pharmacy, food… sectors at risk
Unfortunately, few professionals are sufficiently aware of these risks. “Companies are starting to get involved, but only within their own perimeter, and no one checks the service providers of the service providers”, regrets Thomas Kerrien, who specializes in supply chain cybersecurity issues. European directives could improve the situation by requiring contracting authorities to ensure that their supply chain is completely secure. One of them, “NIS 2”, is due to come into force at the end of October 2024.
It is important to protect yourself well against this type of attack because they can have terrible consequences, particularly in sectors as sensitive as food or the pharmaceutical industry. “All these players are potential targets today, because we can create food or drug shortages very easily,” adds Thomas Kerrien. All it would take is for attackers to take control of critical IT tools, such as the warehouse management system, to destroy a stock of food, or scramble data on the composition of certain drugs, and make the system toxic. These threats could, in the long term, reshape international supply chains. Some companies are already studying the idea of shortening them in order to better control them or relocating their operations to less dangerous countries. “If you are a company in a sensitive sector,” warns Lewis Sage-Passant, “now is the time to make sure that you only work with trusted suppliers.”
.