Unveiling Fast16: The Precursor to Stuxnet Targeting Nuclear Simulations
Recent analyses have shed light on a sophisticated cyber sabotage tool known as Fast16, a Lua-based malware designed to manipulate nuclear weapons testing simulations. This discovery underscores the advanced nature of cyber threats predating the infamous Stuxnet worm.
According to research teams from Symantec and Carbon Black, Fast16 was engineered to corrupt uranium-compression simulations, which are crucial in nuclear weapon design. The malware specifically targets high-explosive simulations within LS-DYNA and AUTODYN software. It activates when the simulated material’s density surpasses 30 g/cm³, a threshold achievable under the shock compression of an implosion device.
This revelation follows SentinelOne’s earlier analysis, which identified Fast16 as a sabotage framework potentially developed as early as 2005, predating the earliest known version of Stuxnet by two years. Evidence includes a reference to fast16 in files leaked by The Shadow Brokers in 2017, allegedly linked to the Equation Group, a state-sponsored entity with suspected ties to the U.S. National Security Agency.
Fast16 comprises 101 rules designed to tamper with mathematical calculations in engineering and simulation programs prevalent at the time. While the exact binaries affected remain unclear, probable targets include LS-DYNA version 970, Practical Structural Design and Construction Software (PKPM), and Modelo Hidrodinâmico (MOHID).
Symantec’s latest analysis confirms that LS-DYNA and AUTODYN are the primary applications targeted by Fast16. The malware interferes with simulations of high-explosive detonations, indicating a deliberate attempt to sabotage nuclear weapons research. The hooks placed within the simulation programs employ three attack strategies, activating only during full-scale transient blast and detonation runs.
The 101 hook rules are further categorized into 9-10 groups, each targeting different builds of LS-DYNA or AUTODYN. This suggests that the malware’s developers monitored software updates and adapted the malware accordingly, reflecting a methodical and sustained operation. Notably, some hook groups were added for previous software versions after newer ones, implying that users reverted to older versions when anomalies occurred, only to find those versions also compromised.
Fast16 is designed to avoid infecting computers with specific security products installed. It also propagates automatically to other endpoints within the same network, ensuring that any machine running the simulations produces tampered outputs.
These findings indicate that strategic industrial sabotage using malware was conducted by nation-state actors as far back as 20 years ago, well before Stuxnet’s deployment to damage uranium enrichment centrifuges at Iran’s Natanz nuclear plant. The level of expertise required to design such malware in 2005 is remarkable. It necessitated a deep understanding of specific physical processes and the software used to simulate them.
Fast16 belongs to the same conceptual lineage as Stuxnet, where malware is tailored not just to a vendor’s product but to a specific physical process being simulated or controlled by that product. This discovery forces a reevaluation of the historical timeline of clandestine cyber sabotage operations, highlighting that state-backed cyber sabotage tools targeting physical processes were fully developed and deployed by the mid-2000s.
