Full Report
A new analysis of the Lua-based fast16 malware has confirmed that it was a cyber sabotage tool designed to tamper with nuclear weapons testing simulations. According to Broadcom-owned Symantec and Carbon Black teams, the pre-Stuxnet tool was engineered to corrupt uranium-compression simulations that are central to nuclear weapon design. "Fast16's hook engine is selectively interested in
Analysis Summary
# Tool/Technique: Fast16
## Overview
Fast16 is a sophisticated, Lua-based cyber sabotage framework designed to tamper with high-fidelity engineering simulations. Predating Stuxnet version 0.5 by approximately two years, it is considered one of the earliest examples of a nation-state industrial sabotage tool. Its primary purpose was to corrupt mathematical calculations related to uranium compression during nuclear weapon design simulations, effectively feeding researchers false data to stall or misdirect nuclear development programs.
## Technical Details
- **Type**: Malware family / Sabotage Framework
- **Platform**: Windows (Engineering Workstations)
- **Capabilities**: Computational tampering, process hooking, lateral movement, anti-analysis.
- **First Seen**: Evidence suggests development as early as 2005; publicly disclosed via Shadow Brokers leaks in 2017; technical analysis confirmed in 2026.
## MITRE ATT&CK Mapping
- **[TA0009 - Collection]**
- **[T1560 - Archive Collected Data]**: (Implied by the complexity of rule-matching and data extraction).
- **[TA0040 - Impact]**
- **[T1491 - Defacement]**: External Result Manipulation.
- **[T1495 - Firmware Corruption]**: (Analogy to its effect on industrial logic/simulations).
- **[T1565.001 - Data Manipulation: Stored Data Manipulation]**: Corrupting simulation output files.
- **[TA0008 - Lateral Movement]**
- **[T1080 - Taint Shared Content]**: Automatic spreading across network endpoints to ensure consistent tampered results.
- **[TA0005 - Defense Evasion]**
- **[T1562.001 - Impair Defenses: Disable or Modify Tools]**: Checks for security products and aborts if detected.
## Functionality
### Core Capabilities
- **Precision Hooking**: Utilizes a specialized hook engine to intercept calls within high-explosive simulation software (specifically **LS-DYNA** and **AUTODYN**).
- **Conditional Triggering**: The sabotage only activates when specific material density thresholds are met—specifically 30 g/cm³, which is the threshold for uranium under shock compression in an implosion device.
- **Mathematical Tampering**: Contains 101 specific rules (categorized into 9-10 groups) designed to subtly alter the physics calculations during full-scale transient blast and detonation runs.
### Advanced Features
- **Version Persistence**: The tool includes support for at least 10 different versions of simulation software, ensuring that if a user reverts to an older software build to troubleshoot "anomalies," the malware continues to function.
- **Self-Propagation**: Automatically spreads to other endpoints on the same network to maintain consistency in simulation results across multiple workstations.
- **Environment Awareness**: Employs checks to avoid infection on machines running specific security software to remain undetected.
## Indicators of Compromise
- **File Hashes**: (Specific hashes not provided in the article, though linked to Equation Group "Fast16" strings in the 2017 Shadow Brokers leak).
- **File Names**: `fast16` (Reference found in leaked Equation Group text files).
- **Registry Keys**: N/A in current report.
- **Network Indicators**: N/A (Internal lateral movement focused).
- **Behavioral Indicators**:
- Verification of material density values in simulation memory.
- Interception/hooking of specific simulation software processes: `ls-dyna.exe`, `autodyn.exe`.
- Unexpected consistency of simulation errors across multiple air-gapped or networked workstations.
## Associated Threat Actors
- **Equation Group**: State-sponsored threat actor with suspected ties to the U.S. National Security Agency (NSA).
## Detection Methods
- **Signature-based**: Detection of the specialized Lua-based hooking engine and the 101 specific rule-set patterns.
- **Behavioral**: Monitoring for unauthorized API hooking within engineering simulation software and identifying unexpected network traffic patterns focused on lateral propagation of binaries.
- **Integrity Checking**: Comparing simulation outputs against known-good "clean" environments or verifying the integrity of simulation software binaries/DLLs.
## Mitigation Strategies
- **Network Segmentation**: Isolating high-value engineering workstations from the broader corporate network.
- **Software Integrity**: Using code-signing and integrity checks for simulation tools like LS-DYNA and AUTODYN.
- **Air-Gapping**: Ensuring critical simulation data remains on machines without lateral movement capabilities.
- **Endpoint Protection**: Deploying EDR solutions that monitor for specialized process injection and hooking.
## Related Tools/Techniques
- **Stuxnet**: Focused on physical sabotage of centrifuges via PLC manipulation.
- **Equation Group Tools**: Part of a broader toolkit leaked by The Shadow Brokers.
- **Flame / Gauss**: Other high-complexity nation-state tools of the same era.