Researchers of cybersecurity have discovered a novel kind of attack which deceives scientists into the creation of harmful chemicals or deadly viruses in their own lab.
A research team from Ben-Gurion University of the Negev can infect the computer of an ‘unwitting’ biologist with malware and very easily substitute a string of DNA with another sequence.
The US Department of Health and Human Services (HHS) has regulations and protocols for the screening of DNA orders from synthetic gene providers that scan for DNA that may be potentially harmful.
The team was able to evade the regulations using obfuscation. They found that 16 out of 50 obfuscated DNA samples when screened, were not detected according to the HHS guidelines.
Rami Puzis, head of the Ben-Gurion University (BGU) Complex Networks Analysis Lab, said: ‘To regulate both intentional and unintentional generation of dangerous substances, most synthetic gene providers screen DNA orders, which is currently the most effective line of defense against such attacks’.
The research team also discovered that accessibility and automation of the synthetic gene engineering workflow, merged with inadequate cybersecurity controls, gives malware access to mess around with the biological processes within the victim’s lab, shutting down the loop with the likelihood of exploit written into a DNA molecule.
The attack was described by the team in their study published in Nature making use of a scenario of Alice, Bob and Eve.
Alice is a scientist working at an academic institution and orders synthetic DNA from Bob, in which Eve, the attacker replaces part of the ordered sequences with a malicious sequence.
Eve also attacks Alice’s computer with malware that replaces part of Alice’s sequence and camouflages fragments of the pathogenic DNA in the hijacked order.
Alice unintentionally uses the malicious DNA along with other sequences. Including Cas9.
During the cell transformation, Cas9 proteins are merged with gRNA from the malicious sequence to form CRISPR complexes that create multiple double-strand breaks, which results in a noxious agent.
The published study reads, ‘This threat is real. We conducted a proof of concept: an obfuscated DNA encoding a toxic peptide was not detected by software implementing the screening guidelines. The DNA injection attack demonstrates a significant new threat of malicious code altering biological processes’.
‘This attack scenario underscores the need to harden the synthetic DNA supply chain with protections against cyber-biological threats’, says Puzis. ‘To address these threats, we propose an improved screening algorithm that takes into account in vivo gene editing.’
‘We hope this paper sets the stage for robust, adversary resilient DNA sequence screening and cybersecurity-hardened synthetic gene production services when biosecurity screening will be enforced by local regulations worldwide.’
By Marvellous Iwendi.
Source: Mail Online