An end-to-end cyber-biological attack has been uncovered by cyber researchers at the Ben-Gurion University of the Negev. Using malware, a cybercriminal could use change a short sub-string of DNA on a bioengineer’s computer. This could result in the creation of a toxin-producing sequence.
At present, the risk of such an attack is very low. This is due to the checks that DNA synthesis providers make before an order is fulfilled. However, the cyber-researchers warn that the check process is outdated and could miss a pathogenic sequence. This is because the databases used to check DNA sequences against, only lists known problematic sequences.
Such checks are required by the US Health and Human Services guidelines. However, those guidelines are not widely enforced. Instead, it has been left to industry groups to produce controls on record keeping and customer screening.
Rami Puzis, head of the BGU Complex Networks Analysis Lab says: “To regulate both intentional and unintentional generation of dangerous substances, most synthetic gene providers screen DNA orders which is currently the most effective line of defense against such attacks.” In the US, California was the first state in 2020 to introduce gene purchase regulation legislation.
Puzis continues: “However, outside the state, bioterrorists can buy dangerous DNA, from companies that do not screen the orders. Unfortunately, the screening guidelines have not been adapted to reflect recent developments in synthetic biology and cyberwarfare.”
How would a cyber-biological attack work?
In their paper, the five cyber-researchers, Rami Puzis, Dor Farbiash, Oleg Brodt, Yuval Elovici and Dov Greenbaum provide a possible attack sequence. It starts with an attacker (Eve) targeting a researcher at an academic institution (Alice). Eve deploys malware that alters the DNA sequence that Alice orders from a DNA synthesis company (Bob). Using DNA obfuscation, Eve’s alterations are not detected.
Bob checks the DNA sequence from Alice, but it fails to spot the DNA contains malicious elements. Bob sends back Alice’s order, ready for her to insert into cells.
This is not a drill, a science-fiction movie plot or the plot for a James Bond movie. Importantly, it is also not a theoretical attack.
The cyber-researchers say that they were able to conduct a full proof of concept. They created obfuscated DNA encoding a toxic peptide that was not detected by software implementing the screening guidelines. The order was accepted and then moved to production. At that point, the order was cancelled for biosecurity reasons and the International Gene Synthesis Consortium were informed.
This is a preventable attack. In their paper, the cyber-researchers set out five steps to help mitigate an incident. How quickly they will be adopted and implemented is unknown. What is known is that government’s need to review and act with new mandatory controls to prevent this.
Enterprise Times: What does this mean?
Biological attacks are the stuff of nightmares for security teams. They are complicated and extremely hazardous to deal with. Even where the infectious agent is known, can be traced and to an extent contained, they are still highly problematic.
Governments can restrict the shipping of equipment to manufacture gene sequences for security reasons. What this report shows, is that they are not doing enough to prevent the creation of malicious DNA sequences.
One of the surprises here is that an attack can obfuscate DNA sequences to craft an attack.