Black Hat Asia Infosec outfit SentinelOne found malware that tries to induce errors in engineering and physics simulation software and therefore represents an attempt at sabotage, and suggests it was created years before the Stuxnet worm that aimed to destroy Iran’s uranium enrichment centrifuges.
The company’s Vitaly Kamluk discussed the malware in a talk at the Black Hat Asia conference today. SentinelOne has also published a blog post about the malware.
Kamluk told the conference the discovery came about after he wondered if known nation-state-espionage tools like Flame, Animal Farm, and Project Sauron were the first of their kind. All three shared use of the Lua language and virtual machine, so he went looking for similar software.
That search led to a malware sample uploaded to VirusTotal in 2016 that includes a reference to “fast16”.
Kamluk’s analysis of the sample suggested the techniques its developers employed were not typical of 2016-era malware. SentinelOne researchers also recalled that the infamous ShadowBroker malware trove that appeared in 2016 and which was later linked to the United States National Security Agency, contained a reference to fast16.
SentinelOne thinks fast16 came into existence around 2005, based on clues in the code and the fact it won’t run on anything more recent than Windows XP – and even then only on a single-core CPU. Intel shipped its first multi-core consumer CPUs in 2006.
The researchers analyzed the sample and found it tries to install a worm and deploy a driver called fast16.sys.
The driver includes a routine that alters the output of floating-point calculations and also goes looking for “precision calculation tools in specialised domains such as civil engineering, physics and physical process simulations.”
The researchers think fast16 targeted three high-precision engineering and simulation suites that were used in the mid-2000s: “LS-DYNA 970, PKPM, and the MOHID hydrodynamic modeling platform, all used for scenarios like crash testing, structural analysis, and environmental modeling.”
Iran is thought to have used LS-DYNA in its nuclear weapons program.
Kamluk hypothesized that fast16’s purpose was to cause errors in calculations run by engineering simulation software, perhaps leading to real-world problems. And he asserted that fast16 was a cyberweapon that preceded Stuxnet by five years.
“In the broader picture of APT evolution, fast16 bridges the gap between early, largely invisible development programs and later, more widely documented Lua‑ and LuaJIT‑based toolkits,” Kamluk wrote with SentinelOne colleague Juan Andrés Guerrero-Saade.
“It is a reference point for understanding how advanced actors think about long‑term implants, sabotage, and a state’s ability to reshape the physical world through software. fast16 was the silent harbinger of a new form of statecraft, successful in its covertness until today.”
In his talk, Kamluk said he’s disclosed his work to the vendors of the engineering applications fast16 targets, because he feels they may want to check the output of their products for evidence that the malware produced incorrect calculations.
“Maybe there are more discoveries to come?” he concluded.
Kamluk tearfully dedicated his talk to friend and colleague Sergey Mineev, who he said was responsible for finding many enormously significant APTs, without seeking attention for the significance of his work, and passed away in March. ®