Home

Consulting

Press

Publications and Presentations

Newsletter

About

Contact

Linkedin-in Quora
Linkedin-in Quora

Be One with the Supply Chain. Or Just Be the Supply Chain

  • September 28, 2024
  • By K. Campbell, CBCP, CPP
  • Supply Chain

Last week, explosions of pagers and walkie-talkies in Lebanon killed at least 37 people and injured 3,000, many of them civilians. The wave of explosions started on Tuesday, September 17 with the detonation of pagers reportedly used by low-level and mid-level members of the militant group Hezbollah. Reportedly, Israel privately claimed responsibility for the attack, and Israel’s defense minister publicly hinted at Israel’s involvement.

The pagers bore components from Taiwanese pager manufacturer Gold Apollo. According to Gold Apollo’s statements to independent, nonprofit media organization NPR and a statement on Gold Apollo’s website, Budapest-based company BAC Consulting was contracted to buy pagers from Gold Apollo and was licensed to use Gold Apollo’s brand trademark. However, the Hungarian government and the mother of BAC Consulting’s CEO claim the pagers were never in Hungary. If true, BAC was only a witting or unwitting front company—common in intelligence operations—and another entity outside of Hungary designed and manufactured the explosive pagers, using Gold Apollo’s components. It would have been remarkably easy for Israel to implant explosives and related circuitry during the design and build or modification of these pagers.

Due diligence

This pager operation is a reminder that due diligence of licensees and other nodes in a supply chain is critical.  Know your customer processes, or KYC, is also important.

  • Gold Apollo’s founder and president claimed that a Taiwanese woman approached him three years ago about buying Gold Apollo’s pagers and licensing Gold Apollo’s brand.  But BAC Consulting was registered in Hungary only in 2022, according to news reports.  So, it seems that Gold Apollo signed a contract with a company that was not even registered in the country in which it was based.  And if it didn’t claim to be based in Hungary during negotiations with Gold Apollo, where was it registered?
  • Gold Apollo’s founder and president also told NPR that BAC Consulting’s payment transfers were “strange”, that BAC paid Gold Apollo from a Middle Eastern bank account instead of a Hungarian bank account, and that one of these payments was initially blocked by Gold Apollo’s bank.  These incidents should have also raised red flags at Gold Apollo.

Gold Apollo now faces reputation risks due to an apparent failure in due diligence, and an apparently nonexistent or ineffective KYC process.  It will be interesting to what extent this exploding pager operation dents Gold Apollo’s pager business.  Regardless of your country of residence or operations, if you are in the market for a pager would you want to buy a Gold Apollo pager after what occurred in Lebanon?

Hijack the Supply Chain

This pager operation is also a stark reminder that the security and safety of global supply chains can be compromised by patient (reportedly 15 years in the making, according to one source), innovative, well-funded tradecraft—especially if a node in the supply chain is a witting partner of the saboteurs. Even better for the saboteurs if they make themselves part of the supply chain.

  • Counterintuitively, the exploding pager operation was arguably easier than intercepting the pager supply chain—the perpetrators contractually and legally became part of the supply chain.
  • Another interesting example of an intelligence operation involving a supply chain is the reported, decades-long cooperation between U.S. and German intelligence agencies and the Swiss company Crypto AG, which reportedly sold encryption equipment “to more than 120 countries well into the 21st century.” The company, which produced code-making machines for the U.S. military during World War II, was reportedly secretly owned by the U.S. intelligence agencies in partnership with West German intelligence. [Disclaimer:  Although signals intelligence is one of my main areas of intelligence expertise and I have served in two NSA leadership assignments, I am neither commenting on the validity or accuracy of news media reporting on Crypto AG nor do I have knowledge of Crypto AG other than news media reports.]

Hijacking the supply chain could work for other intelligence operations. For example, if intelligence agencies are aware of parts being shipped to Iran for use in its uranium enrichment centrifuges, they can be modified to fail. The same for military aircraft parts that will be illegally shipped to Iran from the U.S. (Iran has a fleet of aging, U.S.-provided military aircraft).

Critical infrastructure is also vulnerable to supply chain sabotage operations, with potential high impact effects. High voltage/large power transformers, which adjust the electric voltage to a suitable level on each segment of power transmission, can take longer than 20 months to produce if the manufacturer has difficulty obtaining key parts or materials. And a very small number of companies manufacture these transformers. For example, Hyosung Heavy Industries Worldwide, a South Korean company, this summer won a contract to replace some of the outdated power systems in Norway. It has a market share of roughly 80 percent in Norway’s large transformers, and has won multiple contracts with other European clients in the U.K., Sweden, Finland and France.

Use it or Lose it. Or Use it then Lose it.

There’s no confirmed information on why Israel chose last week to remotely detonate the explosive pagers and walkie-talkies. Could it have been to “prepare the battlefield” just prior to opening a second front in its Gaza war—what Israeli Prime Minister Benjamin Netanyahu’s government is calling Operation Northern Arrows? One rumor is that a couple of the devices were compromised, Hezbollah operatives having discovered their explosive contents or other anomalies. So, Israeli decision makers decided to execute its remote detonations or risk the compromise of all the devices, which reportedly numbered in the thousands.

Regardless, it is highly unlikely that another similar type of operation—e.g., implanting explosives in Hezbollah’s mobile phones—would be successful against Hezbollah for the foreseeable future. That is why intelligence agencies and decision makers are sometimes reluctant to use their most sensitive assets when the operation will disclose their existence and even that of the supporting infrastructure (The extreme also occurs when these capabilities become a “self-licking ice cream cone”; the capabilities are so sensitive that they are never used, arguably defeating the purpose of their existence). For example, in the case of these “not so inert communication devices”, BAC Consulting’s presumed role as a front company for Israel’s intelligence services is all but finished.

Implications

The tactical effects of the exploding pagers and walkie-talkies can be inferred from the numerous explosions captured on video and the reported numbers of Hezbollah operatives killed and injured. However, the operational and especially strategic effects of the operation are still undetermined. One of the most persistent mistakes by politicians and pundits is conflating tactical, operational, and strategic levels of war. The other persistent mistake is conflating measures of performance and measures of effectiveness.

The pager and walkie-talkie operation will likely also reinforce to C-suites and government decision makers (and terrorist groups) the vulnerability of supply chains. Humans being humans, it often takes visceral events to serve as reminders to what should have been obvious for years or decades:

  • The COVID-19 pandemic is a prime example. CEOs strangely repeatedly say the pandemic was a “black swan” event, despite the Severe Acute Respiratory Syndrome (SARS) coronavirus (named SARS-CoV) outbreak in 2003; H1N1 pandemic in 2009, Occupational Safety and Health Administration‘s flu pandemic guidance published in 2009; the MERS-CoV outbreak in 2012; the 2014 Ebola epidemic; the 2017-2018 flu season, which is possibly the worst flu season in recent U.S. history; and decades-long, persistent warnings by virologists and disaster preparedness experts that pandemics are matter of when, not if.
  • An assassination attempt with a long gun on July 13, 2024 against a U.S. presidential candidate from a rooftop less than 200 yards away from the candidate—not the least bit a novel assassination attempt.
  • Supply chain example: More than 200 highly automated, Chinese-made cranes installed at U.S. ports and related facilities were found to contain communications equipment for no apparent reason. Pearl clutching in the U.S. ensued.

Hezbollah, the world’s most capable terrorist group, which is arguably paranoid about foreign infiltration and even has a unit devoted to its internal security, bought thousands of communication devices that it thought was from a company based in a country (Taiwan) that hopes or even expects to be defended by the U.S. if it is ever attacked by China……and apparently never inspected these communication devices. Quite the lesson learned and security reminder for Hezbollah. And where will Hezbollah’s communications be “herded” to, now that it has lost many of its pagers and walkie-talkies and probably doesn’t trust the ones that remain?

And will various companies–from aerospace and defense behemoths to manufacturers of electric grid components to port authorities–increase vigilance of their vendors and supply chains, conduct or update their risk assessments, and take their business continuity plans more seriously?

What will be the next supply chain to be hijacked?

Subscribe
Notify of
guest
1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Carla
Carla
March 8, 2025 3:36 pm

Test 3

0
Reply

Connect with K. “KC” Campbell

Linkedin-in Quora

Copyright © 2025 All Rights Reserved – K. “KC” Campbell, CBCP, CPP®

Scroll to Top