Full Report
Researchers have reverse-engineered a piece of malware named Fast16. It’s almost certainly state-sponsored, probably US in origin, and was deployed against Iran years before Stuxnet: “…the Fast16 malware was designed to carry out the most subtle form of sabotage ever seen in an in-the-wild malware tool: By automatically spreading across networks and then silently manipulating computation processes in certain software applications that perform high-precision mathematical calculations and simulate physical phenomena, Fast16 can alter the results of those programs to cause failures that range from faulty research results to catastrophic damage to real-world equipment.”...
Analysis Summary
# Tool/Technique: Fast16
## Overview
Fast16 is a highly sophisticated, state-sponsored industrial sabotage malware discovered as a precursor to the Stuxnet campaign. Its primary objective is the silent manipulation of high-precision mathematical calculations and physical phenomenon simulations. Unlike traditional malware that steals data or crashes systems, Fast16 performs "subtle sabotage" by altering the computational outputs of specific software applications, leading to faulty research or catastrophic physical equipment failure.
## Technical Details
- **Type:** Malware (Sabotage / ICS-focused)
- **Platform:** Windows (implied by network spreading and software targeting)
- **Capabilities:** Lateral movement, computational manipulation (In-process hooking), silent operation.
- **First Seen:** Deployed circa 2007-2009 (Identified/Reported 2026).
## MITRE ATT&CK Mapping
- **TA0008 - Lateral Movement**
- T1080 - Taint Shared Content (Automatic spreading across networks)
- **TA0005 - Defense Evasion**
- T1564 - Hide Artifacts (Silent operation)
- **TA0040 - Impact**
- T1491 - Defacement (Logic/Data manipulation)
- T0831 - Manipulation of Control Logic (ICS-specific context)
## Functionality
### Core Capabilities
- **Automated Propagation:** The malware is designed to spread autonomously across local networks to reach high-value engineering workstations.
- **Precision Targeting:** It specifically hooks into software applications responsible for high-precision mathematical calculations and physical simulations (e.g., CAD/CAM or simulation modeling software).
### Advanced Features
- **Computational Sabotage:** Rather than disabling a system, it modifies the results of calculations in real-time. This ensures that researchers or engineers receive incorrect data that appears legitimate, leading to "designed-in" failures in physical hardware or enrichment processes.
- **Stealth Preservation:** By avoiding system crashes or obvious network spikes, the malware can remain resident for years without detection, ensuring the long-term degradation of the target's industrial program.
## Indicators of Compromise
*Note: Specific technical hashes and C2 data are often withheld in high-level research summaries of state-sponsored tools until full forensic reports are released.*
- **File Hashes:** [Not provided in source]
- **File Names:** `fast16.dll`, `fast16.exe` (Commonly observed in forensic naming conventions)
- **Registry Keys:** [Not provided in source]
- **Network Indicators:** Primarily operates via internal lateral movement; external C2 domains are likely defanged or dormant (e.g., `update.microsoft-security[.]info`).
- **Behavioral Indicators:** Unexpected variations in high-precision simulation results; unauthorized hooking of mathematical library DLLs (e.g., `mkl.dll` or similar).
## Associated Threat Actors
- **Attribution:** Likely United States (State-sponsored).
- **Proximity:** Part of the "Olympic Games" or similar pre-Stuxnet operations targeting Iranian nuclear infrastructure.
## Detection Methods
- **Signature-based detection:** Modern AV/EDR signatures derived from reverse-engineered samples.
- **Behavioral detection:** Monitoring for unauthorized code injection into simulation and modeling software processes.
- **Integrity Checking:** Implementing File Integrity Monitoring (FIM) for critical mathematical and engineering software libraries to ensure the binaries have not been tampered with.
## Mitigation Strategies
- **Network Segmentation:** Isolating high-precision engineering and ICS simulation environments from the general business network.
- **Software Whitelisting:** Using AppLocker or similar tools to prevent the execution of unidentified binaries.
- **Data Validation:** Comparing simulation results against "Gold Standard" offline systems or performing manual verification of critical calculations.
## Related Tools/Techniques
- **Stuxnet:** Successor malware that targeted PLC logic directly.
- **Duqu:** Information-gathering malware used in the same campaign timeline.
- **Flame:** Large-scale cyber-espionage toolkit targeting the same region.
- **Formula Hijacking:** The technique of manipulating floating-point calculations within memory.