A new analysis of the Lua-based fast16 malware has confirmed that it was a cyber sabotage tool designed to tamper with nuclear weapons testing simulations.
According to Broadcom-owned Symantec and Carbon Black teams, the pre-Stuxnet tool was engineered to corrupt uranium-compression simulations that are central to nuclear weapon design.
“Fast16’s hook engine is selectively interested in high-explosive simulations inside LS-DYNA and AUTODYN,” the Threat Hunter Team said. “The malware checks for the density of the material being simulated and only acts when that value passes 30 g/cm³, the threshold uranium can only be reached under the shock compression of an implosion device.
The development comes weeks after SentinelOne presented an analysis of fast16, describing it as the first sabotage framework whose components may have developed as early as 2005, predating the earliest known version of Stuxnet (aka Stuxnet 0.5) by two years.
Evidence unearthed by the cybersecurity company included a reference to the string “fast16” in a text file that was leaked by an anonymous hacking group called The Shadow Brokers in 2017. The file was part of a huge tranche of hacking tools and exploits allegedly used by the Equation Group, a state-sponsored threat actor with suspected ties to the U.S. National Security Agency (NSA).
At its core, the industrial sabotage malware features a set of 101 rules to tamper with mathematical calculations carried out by certain engineering and simulation programs that were prevalent at the time. Although the exact binaries that are patched by the malware is unclear, SentinelOne identified three probable candidates: LS-DYNA version 970, Practical Structural Design and Construction Software (PKPM), and Modelo Hidrodinâmico (MOHID).
Symantec’s latest analysis has now confirmed that LS-DYNA and AUTODYN are the two applications targeted by fast16, adding it was designed explicitly to interfere with simulations of high-explosive detonations, almost certainly to facilitate sabotage against nuclear weapons research.
“Both are software applications used to simulate real-world problems such as vehicle crashworthiness, material modelling, and explosive simulation,” Symantec and Carbon Black said. “The hooks fast16 places inside of the simulation program consist of three attack strategies. The tampering only activates during full-scale transient blast and detonation runs.”
The 101 hook rules can be categorized further into 9-10 hook groups, each targeting different builds of LS-DYNA or AUTODYN, suggesting that the developers of the malware were keeping track of software updates and adding support for different versions over time. This points to a methodical and sustained operation.
“If hook rule groups were added sequentially as needed, we see a hook group added for a previous version of the software after a newer version,” researchers explained.
“One may imagine, the simulation user reverted to an older version when faced with the anomaly, before that version was also targeted. Secondly, the hook groups represent up to 10 different versions of simulation software, meaning the simulation user updates versions semi-frequently.
Fast16 is crafted such that it will not infect computers that have certain security products installed. It also automatically spreads to other endpoints on the same network, so that any machine that’s used to run the simulations will generate the same tampered outputs.
The findings indicate that strategic industrial sabotage using malware was being conducted by nation-state actors as far back as 20 years ago, well before Stuxnet was used to damage uranium enrichment centrifuges at Iran’s nuclear plant in Natanz by injecting malicious code into Siemens programmable logic controllers.
Speaking to cybersecurity journalist Kim Zetter, Vikram Thakur, technical director for Symantec, said the level of expertise and understanding required to design such a malware in 2005 is “mind-blowing.” That said, it’s not known if a modern-day version of fast16 exists in the wild.
“That degree of domain knowledge, such as understanding which EOS [Equation of State] forms matter, which calling conventions are produced by which compilers, and which classes of simulation will or will not trip the gate, is unusual in any era and was very unusual in 2005,” Symantec and Carbon Black said.
“The framework belongs to the same conceptual lineage as Stuxnet, in which malware was tailored not just to a vendor’s product but to a specific physical process being simulated or controlled by that product.”
