The message displayed on the screens at the Beirut airport, Jan. 7, 2024. (Credit: Photo published on the X account @Sa7eb_Alkalam)
Last night, rather than the usual information on connections, the screens at Rafic Hariri airport displayed a message addressed to Hezbollah. At the same time, baggage carousels also malfunctioned, while several passengers reported receiving false messages from Middle East Airlines inviting them to follow instructions from security forces. This was no practical joke; it was a cyberattack.
According to Imad Elhajj, professor of computer engineering at the American University of Beirut (AUB) and a cybersecurity specialist, the complex way the attack unfolded indicates it was orchestrated by a skilled and organized group and not by isolated individuals, as initial suspicions suggested.
The message displayed on airport screens showed the logos of a Beirut-based Christian extremist group, the Soldiers of God (Jnoud al-Rab), as well as a social networking page called "Sa7eb al-Kalam," which is highly critical of Hezbollah. On the X network, Saheb el-Kalam shared photos of the hacked screens with the Beirut airport. In a video posted on the Jnoud al-Rab Facebook page, however, two men denied any involvement by their group in the cyberattack on the airport, accusing those behind the hack of seeking to "sow dissension."
Elhajj answered questions from L'Orient-Le Jour.
From a technical point of view, what happened on Sunday evening?
This hacking tells us several things. First of all, and this is surprising, it's either that the belt system [the system for baggage] is connected to the outside world or that the attackers were able to move from one computer system to another [between the display system and the baggage system], then waited for the right moment to trigger the attack, because the attacks on the two systems seem to have occurred at the same time, or at least at two very close moments. Of course, we won't know until we have access to the details of the investigation.
Another possibility is internal sabotage, with someone infecting the network locally or via a phishing attack. But only investigation will tell the full story.
What does this tell us about the perpetrators of the attack?
The lateral movement [moving from one computer system to another] made by the attackers suggests that they are well trained — it's not easy to compromise two systems simultaneously. I suspect that the baggage system has nothing to do with the screen or reservation systems, and that they don't even run on the same servers. What's more, the screens were defaced; they not only malfunctioned but managed to display images, while the belt system simply stopped.
The big question is how much data the attackers were able to get hold of, given that airports have access to a great deal of personal data on their customers and that this could have more far-reaching consequences than the malfunctions we saw at the airport.
The investigation will be able to give us more information about the identity of the attackers, payloads, identifiers and so on. This will tell us whether it was a state actor, a for-profit criminal organization or, least likely, a small group acting internally. Linking the attack to another group could be a strategy to pit Lebanese groups against each other.
Could the hacking have been carried out by Israel?
We won't know who organized this attack until a thorough investigation is carried out. But we can't rule out the Israeli lead. Lebanon is facing an entity that is a veritable superpower in this field, and many of its cybersecurity-related companies have very close ties with the army.
I don't have access indicators to assess the evolution of the number of computer attacks launched, but all the feedback I have points to an increase since Oct. 7.
