Full Report
Researchers have finally cracked Fast16, mysterious code capable of silently tampering with calculation and simulation software. It was created in 2005—and likely deployed by the US or an ally.
Analysis Summary
# Tool/Technique: Fast16
## Overview
Fast16 is a sophisticated, historical sabotage malware designed to silently manipulate high-precision mathematical calculations and physical simulation software. Predating Stuxnet by approximately two years, it represents an early evolution of state-sponsored cyber-sabotage, moving beyond data destruction toward the subtle subversion of scientific and engineering results. Its primary goal is to cause long-term, undetectable failures in physical systems or research outcomes.
## Technical Details
- **Type:** Malware (Sabotage/Espionage tool)
- **Platform:** Windows (implied by the target engineering applications)
- **Capabilities:** Lateral movement, intercepting software API calls, silent manipulation of floating-point calculations, and process tampering.
- **First Seen:** Created circa 2005 (Revealed via Shadow Brokers/NSA leaks in 2017; deciphered in 2026).
## MITRE ATT&CK Mapping
- **[TA0008 - Lateral Movement]**
- [T1080 - Taint Shared Content] (Spreading across networks)
- **[TA0005 - Defense Evasion]**
- [T1036 - Masquerading]
- [T1574.002 - DLL Side-Loading] (Implied by the method of hooking software)
- **[TA0040 - Impact]**
- [T1491 - Defacement] (Subtle manipulation of data)
- [T1648 - User Execution]
- **[TA0007 - Discovery]**
- [T1010 - Application Window Discovery] (Identifying target simulation software)
## Functionality
### Core Capabilities
- **Automated Propagation:** The malware is designed to spread automatically across local networks to find high-value engineering workstations.
- **Precision Targeting:** Specifically identifies and hooks into specialized calculation software.
- **Computation Tampering:** Silently alters the results of high-precision mathematical calculations in real-time.
### Advanced Features
- **Stealth Sabotage:** Unlike "wipers," Fast16 does not crash the system. It introduces "very subtle" alterations that are not immediately apparent, causing equipment to wear out faster, crash unexpectedly, or lead scientists to incorrect research conclusions.
- **Application Specificity:** Capable of interacting with three distinct types of simulation tools:
- **LS-DYNA:** Used for nuclear physics, ballistic reentry, and aerospace modeling.
- **MOHID:** Water system modeling.
- **PKPM:** Chinese construction engineering software.
## Indicators of Compromise
- **File Hashes:** Specific hashes were not provided in the article text; researchers reference the 2017 "Shadow Brokers" leaks for original samples.
- **File Names:** Fast16 (Original leaked name).
- **Behavioral Indicators:**
- Unexpected variances in physical simulation outputs compared to known benchmarks.
- Persistent network traffic consistent with worm-like propagation in air-gapped or high-security engineering VLANs.
- Hooking of libraries associated with `ls-dyna.exe`, `pkpm.exe`, or MOHID components.
## Associated Threat Actors
- **The Equation Group** (Implied by the 2017 NSA leak context).
- Likely **United States (NSA)** or a close five-eyes ally.
## Detection Methods
- **Signature-based detection:** Modern AV/EDR solutions updated with signatures for the "Shadow Brokers" leak artifacts.
- **Behavioral detection:** Monitoring for unauthorized code injection or API hooking within physical simulation software environments.
- **Integrity Checking:** Comparing calculation outputs of sensitive simulations across different "clean" hardware environments to identify discrepancies.
## Mitigation Strategies
- **Air-Gapping & Segmentation:** Isolate machines running critical simulation and engineering software from the general network.
- **Code Signing:** Ensure only signed and verified binaries for simulation tools are executed.
- **Output Validation:** Use "redundancy checking" where critical simulations are run on multiple, independently verified systems to ensure mathematical consistency.
- **Historical Analysis:** Review engineering data from the mid-2000s for unexplained failures that may have been caused by manipulated simulations.
## Related Tools/Techniques
- **Stuxnet:** A successor in sabotage, targeting PLCs rather than the simulation software used to design them.
- **Olympic Games:** The broader covert campaign to subvert the Iranian nuclear program.
- **Flame / Duqu:** Other sophisticated state-sponsored tools from the same era focused on espionage and complex reconnaissance.