When Israel and the United States joined forces 15 years ago to execute the defining cyberattack of a new age of conflict — a deviously ingenious effort to inject malicious code into Iran’s nuclear enrichment plants, sending them spinning out of control — the operation was reviewed by lawyers and policymakers to minimize the risk to ordinary civilians.
They decided to go ahead because the targeted equipment was deep underground. President Barack Obama was assured that the effects could be strictly contained. Even so, there were surprises: The secret computer code got out, and other actors amended the malware and turned it against a variety of targets.
Now, the presumed Israeli sabotage of hundreds or thousands of pagers, walkie-talkies and other wireless devices used by Hezbollah has taken the murky art of electronic sabotage to new and frightening heights. This time the targeted devices were kept in trouser pockets, on belts, in the kitchen. Ordinary communication devices were turned into miniature grenades.
And while the target was Hezbollah fighters, the victims were anyone standing around, including children. Lebanese authorities say 11 people died and more than 2,700 were injured in Tuesday’s attack. On Wednesday, at least 20 more people were killed and 450 injured in a second round of attacks with exploding walkie-talkies.
There is reason to fear where this attack on Hezbollah fighters might go next. The history of such sabotage is that once a new threshold is crossed, it becomes available to everyone.
Of course, there is nothing new about sabotaging phones or planting bombs: Terrorists and spy agencies have done that for decades. What made this different was the mass scale, the implantation of explosives on so many devices at once. Such subterfuge is difficult to pull off, because it requires getting deep into the supply chain. And that, in a way, is the best reason for people not to be afraid of their internet-connected refrigerators and computers.
But our sense of vulnerability about how everyday implements connected to the internet can become deadly weapons may be just beginning.
“This might well be the first and frightening glimpse of a world in which ultimately no electronic device, from our cellphones to thermostats, can ever be fully trusted,” Glenn Gerstell, the general counsel of the National Security Agency for five critical years as the cyberwars heated up, said on Wednesday.
“We’ve already seen Russia and North Korea unleash cyberweapons over which they had no control, which indiscriminately damaged random computers around the globe,” he said. “Could other personal and household devices be next?”
If Mr. Gerstell is right, it raises the question of whether these attacks, widely attributed to Israel’s intelligence services, were worth the price in our shared sense of vulnerability. The explosions had little strategic purpose. As one Western diplomat with long experience dealing with the Middle East said, they were hardly about to force Hezbollah’s leaders to give up a cause they have battled over for four decades.
The chief effect is psychological. Just as pervasive surveillance makes people question who might have access to the phones that now contain details, treasures and secrets of one’s life — pictures, text messages, credit card numbers — the sabotage makes everyone fearful that ordinary devices can become an instant source of injury or death. It gnaws at the psyche.
It also disrupts communications, which led to speculation that the attacks could be the opening act in a broader Israeli offensive. Israel’s defense minister, Yoav Gallant, said just before the explosions began to resonate across Lebanon that a “new phase” of military action had begun, moving away from Gaza and to the north. Making Hezbollah fighters and leaders terrified of picking up their wireless devices would provide a tremendous, if temporary, advantage. Yet so far, that broader attack has not materialized.
Still, it is unclear how much cyberrelated ingenuity, if any, was involved in the deadly explosions. The pagers, which Hezbollah turned to because of fear that Israel had cracked its cellphones, seemed attractive to the terrorist group precisely because they were low-tech and did not operate via vulnerable cellphone networks and the internet.
Theories abound about how the explosives were placed in the devices. Under the most probable scenario, Israeli agents laced the batteries with explosives when the devices were manufactured, by a front company in Budapest that licensed the dated pager technology from a Taiwanese company. Others think the devices may have been modified at some point between their manufacturing and their distribution to Hezbollah leaders and fighters.
Whatever the means of sabotage, the result was the same: Just a few ounces of explosives, hidden in the pagers and the walkie-talkies, were capable of causing grievous injuries, beyond the kind of damage that could be wrought if the batteries in the devices overheated and caught fire.
It is possible those explosions were triggered just by a message sent, simultaneously, to the pagers. Or it is possible that by exploiting a vulnerability in the basic code that runs the pagers, the attackers were able to overheat the batteries and detonate the explosive charges.
But the Israelis also could have used cyberoperations or signals intercepts simply to figure out how to gain access to the pagers themselves, some experts say.
“The main cyberoperations likely only provided the intelligence that Hezbollah placed a huge order for pagers and where they would be in the supply chain at specific times,” said Jason Healey, a cyberexpert at Columbia University. “At most, some signal was sent which detonated the explosive. Perhaps that actually did use some exploit to overheat the battery causing the detonation.”
Getting into supply chains to sabotage operations is hardly new. More than a decade ago, American officials intercepted the power supplies headed to Iran to make the country’s nuclear centrifuges spin — and thus its ability to produce fuel that could get diverted to weapons projects.
American officials intercepted giant Chinese-made power generators during the Trump administration that they believed had been altered to insert a “kill switch” that could be triggered from outside the country. And for more than a year now, American officials have been warning about “Volt Typhoon,” a Chinese intelligence operation to lace U.S. power grids with malware that could turn off the lights and the water supply, especially during a conflict over Taiwan.
Before the Chinese intelligence services wormed into America’s power grid, Russia did the same — and, to deter Moscow, the United States planted code in the Russian grid.
The early evidence, however, suggests that such techniques can bring about a tactical advantage but few strategic effects. Even the American-Israeli cyberattacks on the centrifuges in Iran — a highly classified, expensive operation code-named “Olympic Games” — set the Iranian program back by only a year or 18 months. Eventually it drove the program farther underground.
But attacks like the one on the centrifuges, or on power grids, are directed at big infrastructure, not hand-held devices. And so the attacks in Lebanon may herald a new wrinkle in such sabotage, made to infect hand-held devices.
“Certainly, if Chinese or Russian intelligence could overheat electronic devices to cause fires, it might help keep defenders reeling in the early phases of a crisis,” Mr. Healey said. “But that seems a touch far-fetched, as there have been more than enough examples of going for physical destruction of electrical grids, for example.”