There’s been a lot of news lately surrounding the SolarWinds hack. It’s basically taking up all the news cycles in the security circles. Today I want to talk about a barely covered article that comes from ZDNet. It’s titled “This new Cyberattack can dupe DNA scientists into creating dangerous viruses and toxins.” It was published on November 30th, and I’ve been waiting for it to get picked up more by mainstream media, but I never heard a second mention.
This article basically covers that researchers at a university could craft a malware type that could replace genetic sequences in systems that order synthesized DNA. The impact that really struck me was now a remote attacker could have scientists create toxins or new viruses on their behalf without expensive equipment. Suppose I knew what genetic material I needed for a biological attack. I don’t need my own lab to create it. In that case, I could package it as part of a hack.
Their research was actually published in the Journal of nature biotechnology, so we know that this has been peer-reviewed. It’s been deemed a possible attack vector, and the impacts are legitimate enough to pass consensus.
The researchers talked about how software used to design and manage DNA projects could be susceptible to man-in-the-browser attacks. An attacker can use a malicious browser plugin and inject new DNA sequences into the system that orders or produces synthetic genes. They even went so far as to create a nice attack graph that outlines the attack phases.
The researchers mentioned that there needs to be an effort to harden the synthetic DNA supply chain. And here we go again with the term supply chains. We continue to see that supply chains are perhaps one of the most successful vectors of attack when you’re trying to pivot into a larger Corporation or organization unnoticed.
This is interesting, but what’s the impact?
We touched on creating a new virus or toxins, and that’s abstract. So let me paint a picture of how it might look like in the real world. In APT or a very sophisticated threat actor gains access to a biopharmaceutical company network. Once inside, they can access the systems that create synthetic compounds. An APT with an agenda could insert new sequences to create a new virus where, patient zero, could be someone who is injected with this new compound. So country XYZ hacks someone like Pfizer, creates a new strain of the Coronavirus, and hides it inside the vaccine. Or let’s say it’s not a new coronavirus.
Maybe it’s a Pfizer competitor that gains access to their systems and perhaps makes their vaccine less efficient. We don’t even have to talk about pharmaceutical companies. We can also talk about the food industry. Many of our food is genetically modified. An attacker could go in and actually replace sequences to make our food poisonous, or perhaps they don’t grow as well. If I wanted to impact a country, I could have a multi-stage attack where I caused widespread famine by first disrupting the food supply chain.
As far as we know, this type of attack hasn’t been weaponized outside of research. It’s also safe to say that this type of attack requires a unique set of skills to implement. The attackers would have to have an in-depth knowledge of biology that the everyday hacker wouldn’t have. It would almost certainly require that collaboration be present between scientists and the actual malware authors.
This is starting to sound familiar…
This framework of attacks shares many similarities with IoT or ICS attacks. And this makes sense because this kind of attack is aimed at the same types of devices. The targets are OT in nature. The main difference really comes down to the impact. In a traditional ICS attack, we might expect the electrical grid to go down, a pipeline to blow up, Or anything else that disrupts critical infrastructure.
But now, for the defenders in this space, we have to change our perspective. When the lights go out, we know that it’s controlled in a way. The scope of the damage is limited and immediate. We know that technicians can come out and fix any damaged equipment. Our incident response team can go in to remove any compromised systems, and we can effectively restore operations. But with this new kind of attack on biology, we won’t see the effects right away. In the example of a new virus, we still have to wait for the virus to be detected. In this case, I mean a biological virus; we still have to wait for the virus to be detected by medical experts. Epidemiologists have to discover and track this virus. Then it goes up the entire chain from doctors on the ground all the way up to the World Health Organization. By the time the virus is discovered, the attackers have already achieved their goal. And when this kind of attack happens, incident response isn’t just constrained to the cybersecurity folks; we also require medical experts or scientists.
Let’s play a bit of What-If
Let’s rewrite history a little bit. Let’s say that the Coronavirus was the product of this kind of attack. We’ll assume a nation-state actually launched the attack since those have the most resources. Without considering the malware deployment timing, attributing an attack to any one actor would be extremely difficult. We are already past a full year of COVID-19 dominating the news, with trillions of dollars spent in response, just in America. We still cannot accurately determine the virus’s initial first infection with all the scientific models built.
For most of the year, the first case was identified in Wuhan, China. Yet, recent news as of this recording shows evidence of the virus circulating in parts of Europe.
My point is, with an attack of this nature, we can release a bio-cyber-weapon into the real world, and we might not know where it actually came from.
With each passing month, we see the evolution of cyberattacks transition from stealing data to denying infrastructure. We are now on the brink of manipulating the building blocks of life. Even though this research was conducted without malicious attack, their attack vector and methodology could be reproduced given enough time and resources.
The Road to Security
The answers to start better protecting these systems are mostly the same as other efforts. The original researchers suggested electronic signatures on synthesized DNA orders, implement intrusion detection approaches, DNA deobfuscation screening, routine audits of orders, information sharing across vendors, and enhanced legislation and regulation. You’ll notice these are almost exactly what we should already be doing. It’s just a matter of will we do it before it’s too late.