Cyberattackers could trick scientists into producing dangerous substances
Without ever setting foot in the lab, a threat actor could dupe DNA researchers into creating pathogens, according to a study describing “an end-to-end cyber-biological attack”
Researchers have described a theoretical cyberattack that could be used to dupe unsuspecting scientists into producing dangerous biological substances, toxins and synthetic viruses.
The paper, authored by researchers from Israel’s Ben-Gurion University of the Negev, sheds light on the potential risks of cyberattackers leveraging malware to subvert a scientist’s computer and interfere with the DNA synthesis process.
“As DNA synthesis becomes more widespread, concern is mounting that a cyberattack intervening with synthetic DNA orders could lead to the synthesis of nucleic acids encoding parts of pathogenic organisms or harmful proteins and toxins,” the team told the Nature Biotechnology science journal.
According to the researchers, the attack would exploit a weakness in the design of the Screening Framework Guidance for Providers of Synthetic Double-Stranded DNA and its successor, the Harmonized Screening Protocol v2.0, which allows bypassing these protocols through a generic obfuscation procedure. Combining this with inadequate cybersecurity measures protecting the synthetic gene engineering pipeline, a remote threat actor could meddle with biological processes.
“Together, these weaknesses facilitate an end-to-end cyberbiological attack, in which a remote attacker may inject obfuscated pathogenic DNA into an online order of synthetic genes, using a malicious browser plugin,” the researchers explained.
RELATED READING: Malware coded into synthetic genomes
The research paper demonstrates a potential attack scenario that makes use of this combination of weaknesses and allows a remote actor to dupe the target into creating a dangerous substance without any physical interaction needed from the attacker’s side.
The attacker would have to start by compromising the target’s computer via a man-in-the-browser attack. When the mark designs a DNA experiment and goes on to order synthetic DNA online from a DNA synthesis company, the attacker replaces part of it with a fragment of the pathogenic DNA that is obfuscated and sequenced for future de-obfuscation.
Since the malicious DNA is obfuscated, it’s undetected by the screening process. The order is delivered to the target, and even though it is checked after sequencing, the inspection is done using compromised computers, which won’t flag the DNA. In the end, a harmful substance would be produced.
The research team was able to prove the viability of the threat by conducting a proof-of-concept attack, where they successfully encoded the DNA of a toxic peptide and moved it to the production phase, all the while avoiding detection by the screening software. They went on to disclose the threat to the International Gene Synthesis Consortium and shared advice on how to mitigate it.
The countermeasures involve beefing up cybersecurity protocols, including by adding electronic signatures to sequence orders and providing intrusion detection approaches, all the while using machine learning to identify malicious code.
In closing, they shared some words of caution: “Cyber dangers are spilling over to the physical space, blurring the separation between the digital world and the real world, especially with increasing levels of automation in the biological lab. Best practices and standards must be woven into operational biological protocols to combat these threats.”