A new technical analysis says the Lua-based fast16 malware was designed to tamper with nuclear weapons testing simulations, with a technical analysis from Symantec saying it targeted high-explosive simulation software used in engineering work and that the tool was active before Stuxnet.
KEY FACTS
- Targeted software LS-DYNA and AUTODYN were identified as the main applications affected.
- Purpose The malware altered calculations in simulations tied to high-explosive detonations.
- Scale It used 101 hook rules across about 9 to 10 groups for different software versions.
- Behavior It avoided some systems with security products installed and spread to other endpoints on the same network.
- Timeline Researchers said components may date to 2005, before the earliest known Stuxnet version.
The report says the malware checked simulation values and only acted under conditions linked to shock compression of uranium, which points to a narrow sabotage objective. It also notes that the hook rules changed over time, suggesting support for different software builds was added as versions shifted.
Earlier research from SentinelOne said the tool may have originated as early as 2005 and cited a reference to fast16 in material leaked by The Shadow Brokers in 2017. That disclosure linked the string to a set of tools allegedly used by the Equation Group.
The latest analysis says the malware stayed dormant unless it detected the relevant simulation environment. The report also says it was crafted to produce the same tampered output across networked machines used for the simulations.
WHY IT MATTERS
If the findings hold, they suggest nation-state sabotage tools were being built years before Stuxnet and were already tailored to specific industrial processes. The case also shows how simulation software itself can be a target when attackers want to influence technical decisions or mask defects.