|In Lebanon, electronic devices and spyware have been found on individuals charged with spying for Israel [EPA]
Beirut, Lebanon - The confirmation by officials in the United States of the exposure of their CIA informants in Lebanon has caused a flurry of excitement in both the local and international media in recent days, adding yet another chapter to intelligence activities on Lebanese soil.
Hezbollah chief Hassan Nasrallah revealed in a press conference in June 2011 that the Lebanese Shia resistance movement had discovered and arrested at least two of its members, whom Nasrallah said were working for the Central Intelligence Agency.
Although the US embassy denied the story at the time, unnamed US government officials recanted and confirmed the arrests last week. Media reports claim that the intelligence agency has gone so far as to shut down its Beirut bureau after it was compromised by Hezbollah's announcement.
The intelligence war playing out in Lebanon is nothing new, however. For decades now, intelligence agencies have been infiltrating the country, with up to 70 suspected spies arrested by the Lebanese authorities in 2009 and 2010 alone.
Cash payments for telecoms data
One of Lebanon's most vulnerable infiltration targets has been its telecommunications network. In 2010, Charbel Qazzi and Tarek Rabaa, both telecom engineers with Alfa (one of Lebanon's two mobile network operators), were arrested within weeks of each other and charged with spying for Israel.
Qazzi, a senior technician at the time, had access to all the passwords necessary to access the mobile network computer systems, both remotely and onsite, which he confessed to handing over to the Israelis. He said he was first contacted by Mossad in the 1990s, when he snuck across the border to consult with an Israeli doctor over a medical case concerning a relative of his.
He was charged with "entering enemy territory, collaborating with Israel, and providing it with information".
According to media reports quoting security officials, Rabaa, a transmission engineer for Alfa, was first contacted by the Israeli intelligence services when they posed as an international recruitment company in 2001. Following an "interview" in Cyprus, they asked him to complete a "case study" on the telecom network. A few months later in 2002, they contacted Rabaa again and asked him to perform a polygraph test, which he apparently failed. They re-established contact again in 2005, and conducted a series of meetings with him in countries all over the world, including Thailand, France, Denmark, Turkey and the Czech Republic, until Rabaa was arrested in 2010.
In these meetings he was given cash payments ranging from $2,000 to $20,000, depending on the information he gave them. This included a map of the Lebanese mobile network backbone, the names of every employee at the company, and a study of the network in the southern part of the country, which borders Israel.
"With knowledge of the network backbone, they know the geographical location of the nodes in the network and the type of equipment used. They would know where to orient their monitoring equipment, break the encryption codes, and eavesdrop on the network," Marwan Taher, a computer engineer, told Al Jazeera.
"He was gathering everything you could ever imagine about the Lebanese cellular network."
- Hassan Illeik
In one meeting held in Turkey in 2009, news agency reports claim Rabaa told his handlers that Alfa was in talks with a Chinese company to procure equipment to use in expanding the network in Lebanon's south. His handlers stressed upon him the need to maintain the current supplier of telecom equipment, a European company, as it would be more difficult to compromise the Chinese equipment than the European one. Rabaa was one of the major players who convinced Alfa to stay with the European company.
"He was gathering everything you could ever imagine about the Lebanese cellular network," Hassan Illeik, a journalist with the Lebanese daily Al Akhbar, who has been closely following the issue of Israeli infiltration, told Al Jazeera. "The location of all the antennas, all of the information on the base transceiver stations (BTS), all of the passwords he could access, all the information about the new technology being installed in the cell networks and the maps for the Lebanese mobile networks backbone."
Rabaa continues to maintain that while he knew he was working for an intelligence agency, he insisted he was working for NATO. His family claims that Rabaa was forced to confess under torture.
"The Lebanese intelligence services know the ways in which the Americans, NATO, the French, Danish, whichever intelligence agencies work in Lebanon, and when they want to meet their spies, they do so in Lebanon," said Illeik. "They don't go to Thailand to meet their spies. The Israelis always ask their spies to go abroad, like Cyprus, Italy, Czech Republic, Turkey, to hold meetings."
Charbel Nahhas, former minister of telecoms, said in a press conference at the time that "this was the most dangerous espionage act in Lebanese history".
"Qazzi and Rabaa are not the only guys working in telecoms and 'allegedly' working for Israelis," said Illeik. "These are only two of a much bigger pool."
Others include a retired general and his wife who worked for the Israelis between 1994 and 2009, and whose house was a treasure trove of spying devices and gadgets. He confessed to providing Israel with a number of newly-purchased Lebanese SIM cards (to then redistribute in Lebanon), among other sensitive information.
Then there was the software engineer who, up until his arrest four months ago worked in the private sector with a number of banks, and had helped set up the DSL network in Lebanon. Like Rabaa, he claims he was contacted by an "international recruitment company" and asked to complete a "case study" before partaking in numerous meetings between 2002 and 2006.
"The Israelis don't think the Lebanese are intelligent enough to discover their infiltration," said Illeik. "You can see this in their rhetoric. When they get caught they think it's because of their failure, not because of their enemy's sophistication."
Root passwords and remote access
Methods of infiltration include the tampering of BTS towers, either physically or remotely; using firewall equipment manufactured by Israeli companies, which allows Israel to install backdoors and access for remote log-ins.
"A backdoor is a hidden mechanism that provides access to computer systems which bypasses security checks like passwords," explained Taher.
"If you go to the Lebanese border with Israel, you can see all the telecoms centres from their side," said Illeik. "Last year, Lebanese engineers checked all of these points and uncovered a large amount of Israeli equipment just on the border oriented specifically to the backbone of the Lebanese network."
During the 2006 war, engineers at Alfa noticed unusual activity in their servers; the log, which records who logged into the system, both remotely and locally, would restart itself on a daily basis, without any command ordering it to do so. Furthermore, the log would reboot itself before registering where the command originated from.
According to Illeik, "the engineers in Alfa were seeing this happen in front of their eyes, and couldn’t do anything to stop it".
"If [the spies] gave the root passwords to the Israelis, all bets are off. This would allow the Israelis to log onto the computer systems controlling the networks as administrators," explained Taher. "At that level of control, they can access and modify data, install software programmes, shut down or re-set the different systems, as well as modify or erase any audit logs that would record their actions."
In 2010, the International Telecommunication Union - an agency of the United Nations focused on information and communication technologies - passed a resolution recognising "that Lebanon's telecommunication facilities have been and are still being subjected to piracy, interference and interruption, and sedition by Israel against Lebanon's fixed and cellular telephone networks", condemning the attacks as harmful to Lebanon's national security.
Sascha Meinrath, director of the New America Foundation's Open Technology Initiative, told Al Jazeera that it is "quite feasible" to access a mobile operating centre remotely, thus able to install backdoors, install software to monitor or manipulate phone calls.
"We know that it is relatively simple to do real-time surveillance of text messaging and even block texts based upon key words as a third party," he said. "Part of the problem is that we are still learning about just how insecure GSM [technologies for second generation cell networks] systems actually are, and there are almost no meaningful mandates from regulators and legislators to make them meaningfully secure."
"Once one has physical access to the system, it's relatively trivial to break into many of these systems," he continued. "One can both renumber systems as well as change the records of call details once you have access to these databases; likewise you can check and change affiliations of phone numbers, such as change the names associated with numbers, change the numbers associated with IMEIs [unique identification codes that verifies a mobile device]."
'Twinning' Hezbollah and forging calls
In 2009, Hezbollah and the Lebanese security services investigated three members from the resistance movement after they were suspected by the party of spying. The investigation revealed their phones had been installed with a software programme which allowed a second line to be linked to their phones.
Intelligence officials discovered that when they switched off the tampered phones, two lines would disappear from the network, and when switched on again, two lines would reappear, even though only one SIM card was actually installed in the phone.
The purpose of "twinning" is to allow third parties to remotely access the data records of the phone, trace its location and eavesdrop on conversations in the vicinity of the phone, regardless of whether the phone is switched on or off.
"The benefits would allow you to eavesdrop on the phone communications," said Taher. "If you can also activate the hands-free, you can listen in on what is going on in the room, even when there is no phone call being placed on the phone, so it's an open mike on your target the whole time."
Recently, the Special Tribunal for Lebanon - an international court charged with investigating the 2005 assassination of former Lebanese Prime Minister Rafik Hariri - released an indictment for four Hezbollah members, relying on telecom data gathered in Lebanon as its primary source of evidence.
Yet as a result of the level of infiltration by a number of intelligence agencies into the Lebanese telecommunications network, many, including government officials, find the evidence presented to be compromised.
At a press conference held in August this year, Imad Hoballah, head of Lebanon's Telecommunications Regulatory Authority, emphasised the vulnerability of the Lebanese telecom network precisely because of the extent of infiltration that had been uncovered.
"Having personally examined the [Hezbollah members'] phones which were penetrated by Israeli intelligence [in 2009], which was scientifically proven with the assistance of the mobile phone company involved, it goes to show the Israelis are capable of planting another phone line onto a handset... which allows for eavesdropping and misleading investigators," said Hoballah.
"We would like to remind people that the age-old hacking of the phone network by the Israelis is something we have proven repeatedly..."
- Mohammad Ayoub
According to Mohammad Ayoub, a senior engineer at the TRA, it is possible to not only "twin" phone lines, but to forge phone calls too. "This can be done not only by fabricating the call data record, but by using advanced technology, such as forging a person's voice," he said at the press conference. "We would like to remind people that the age-old hacking of the phone network by the Israelis is something we have proven repeatedly and certified by one of the largest telecommunication organisations [ITU]."
Ayoub went on to describe other manners of infiltration, which include the installation of software onto the cellular network system in order to modify the data "which can be done in real-time and in secret".
"The Israeli agents that were caught at Alfa do have the passwords to control the network," he said, adding that the manipulation of data can also be carried out on back-up copies, and even if the phones are switched off.
Still no protection
According to Illeik, little has been done to protect the Lebanese telecommunications networks despite the discovery of the levels of infiltration.
"They cannot stop the Israelis 100 per cent," he said. "But it is also in the Lebanese mentality that it would be too expensive to try and put a full stop to the infiltration."
For Taher, from the technical aspect there is no reason why this has not yet been done. "I would expect countries to be eavesdropping on other countries' communications," he said. "But I would also expect countries to be safeguarding their equipment as a matter of national security, especially after it had been infiltrated."
While he is not surprised by the level of penetration into the network, he is surprised by the lack of adequate measures taken to respond to the situation. "But given the vulnerabilities in the network, and given the lack of seriousness with which security has been taken by the Lebanese governments in the past, plus the level of sophistication of the Israelis, then I'm not surprised," he said.
There are no physical safeguards on the BTS towers, and despite the level of penetration in Alfa, the computer systems have yet to be taken offline for forensic examination, he added.
"There seems to be a lack of understanding or appreciation by decisions makers on this issue to realise the security implications of this type of information," said Taher.
Follow Nour Samaha on Twitter: @Samahanour