This new cyberattack can dupe DNA scientists into creating dangerous viruses and toxins
The research highlights the potential dangers of new ‘biohacking’ techniques.
A new form of cyberattack has been developed which highlights the potential future ramifications of digital assaults against the biological research sector.
On Monday, academics from the Ben-Gurion University of the Negev described how “unwitting” biologists and scientists could become victims of cyberattacks designed to take biological warfare to another level.
At a time where scientists worldwide are pushing ahead with the development of potential vaccines to combat the COVID-19 pandemic, Ben-Gurion’s team says that it is no longer the case that a threat actor needs physical access to a “dangerous” substance to produce or deliver it — instead, scientists could be duped into producing toxins or synthetic viruses on their behalf through targeted cyberattacks.
The research, “Cyberbiosecurity: Remote DNA Injection Threat in Synthetic Biology,” has been recently published in the academic journal Nature Biotechnology.
The attack documents how malware, used to infiltrate a biologist’s computer, could replace sub-strings in DNA sequencing. Specifically, weaknesses in the Screening Framework Guidance for Providers of Synthetic Double-Stranded DNA and Harmonized Screening Protocol v2.0 systems “enable protocols to be circumvented using a generic obfuscation procedure.”
When DNA orders are made to synthetic gene providers, US Department of Health and Human Services (HHS) guidance requires screening protocols to be in place to scan for potentially harmful DNA.
However, it was possible for the team to circumvent these protocols through obfuscation, in which 16 out of 50 obfuscated DNA samples were not detected against ‘best match’ DNA screening.
Software used to design and manage synthetic DNA projects may also be susceptible to man in-the-browser attacks that can be used to inject arbitrary DNA strings into genetic orders, facilitating what the team calls an “end-to-end cyberbiological attack.”
The synthetic gene engineering pipeline offered by these systems can be tampered with in browser-based attacks. Remote hackers could use malicious browser plugins, for example, to “inject obfuscated pathogenic DNA into an online order of synthetic genes.”
In a case demonstrating the possibilities of this attack, the team cited residue Cas9 protein, using malware to transform this sequence into active pathogens. Cas9 protein, when using CRISPR protocols, can be exploited to “deobfuscate malicious DNA within the host cells,” according to the team.
For an unwitting scientist processing the sequence, this could mean the accidental creation of dangerous substances, including synthetic viruses or toxic material.
“To regulate both intentional and unintentional generation of dangerous substances, most synthetic gene providers screen DNA orders which is currently the most effective line of defense against such attacks,” commented Rami Puzis, head of the BGU Complex Networks Analysis Lab. “Unfortunately, the screening guidelines have not been adapted to reflect recent developments in synthetic biology and cyberwarfare.”
A potential attack chain is outlined below:
“This attack scenario underscores the need to harden the synthetic DNA supply chain with protections against cyber-biological threats,” Puzis added. “To address these threats, we propose an improved screening algorithm that takes into account in vivo gene editing.”