Fast16: Cyberweapon that predates Stuxnet by five years
5 hours ago
- #Malware Analysis
- #Cyberweapon
- #Industrial Sabotage
- Fast16 is a cyberweapon discovered in 2024, which predates Stuxnet by five years, having a compilation timestamp of August 2005.
- It operated undetected for 21 years, sabotaging nuclear and engineering simulations by corrupting floating-point calculations, without destroying hardware.
- The malware uses a three-layer framework: a carrier (svcmgmt.exe) for spreading, a worm for network propagation, and a kernel driver (fast16.sys) for memory-based sabotage.
- It specifically targets executables compiled with the Intel C++ compiler, using 101 pattern-matching rules to alter calculation routines in software like LS-DYNA, PKPM, and MOHID.
- Fast16 is linked to the NSA's Equation Group via a reference in the ShadowBrokers leak, indicating it was a state-sponsored operation.
- The malware's code contains outdated version control markers (SCCS/RCS), suggesting development by experienced, institution-backed programmers.
- Detection was minimal; the carrier sat on VirusTotal for nearly a decade with only one antivirus flagging it weakly, highlighting gaps in security tools.
- SentinelOne researchers recommend verifying critical calculations on independent systems outside potentially infected networks to mitigate sabotage effects.