Full Report
FAST16 could be the first cyberweapon, and its effects could be with us today Black Hat Asia Infosec outfit SentinelOne found malware that tries to induce errors in engineering and physics simulation software and therefore represents an attempt at sabotage, and suggests it was created years before the Stuxnet worm that aimed to destroy Iran’s uranium enrichment centrifuges.…
Analysis Summary
# Tool/Technique: FAST16
## Overview
FAST16 is a highly specialized cyber-sabotage tool discovered by SentinelOne researchers. Believed to have been created around 2005, it predates the Stuxnet worm by approximately five years. Unlike typical malware designed for espionage or data theft, FAST16 was engineered for high-precision software sabotage. It specifically targets engineering and physics simulation software to induce subtle errors in floating-point calculations, potentially leading to catastrophic real-world structural or mechanical failures.
## Technical Details
- **Type:** Targeted Sabotage Malware / Kernel Driver
- **Platform:** Windows (specifically legacy versions such as Windows XP; requires single-core CPU architecture)
- **Capabilities:** Manipulation of mathematical calculations (Floating Point Unit operations), propagation via worm functionality, and targeting of specific PLM/simulation software.
- **First Seen:** Created circa 2005; sample surfaced on VirusTotal in 2016.
## MITRE ATT&CK Mapping
- **[TA0040 - Impact]**
- **[T1494 - Impair Defenses]**: Use of a custom driver (`fast16.sys`) to hook system processes.
- **[TA0001 - Initial Access]**
- **[T1091 - Replication Through Removable Media]**: Worm-like propagation capabilities mentioned.
- **[TA0007 - Discovery]**
- **[T1518 - Software Discovery]**: Scanning for specific engineering suites (LS-DYNA, PKPM, MOHID).
- **[TA0005 - Defense Evasion]**
- **[T1014 - Rootkit]**: Implementation via a kernel driver to remain covert.
## Functionality
### Core Capabilities
- **Worm Propagation:** Contains a routine to spread across systems.
- **Kernel-Level Persistence:** Deploys a driver named `fast16.sys` to gain deep system access.
- **Targeted Software Hooking:** Actively searches for and interacts with specialized engineering domains:
- **LS-DYNA 970:** Used for crash testing and non-linear dynamic analysis.
- **PKPM:** Used for structural engineering and civil design.
- **MOHID:** A water modeling system for hydrodynamic simulations.
### Advanced Features
- **Floating-Point Sabotage:** The malware alters the output of high-precision floating-point calculations. By introducing minute errors into engineering simulations, the tool causes "silent" sabotage where the physical object designed (e.g., a bridge, dam, or centrifuge) may have inherent structural flaws that are not visible in the simulation reports.
- **Lua-Based Architecture:** Uses early implementations of Lua, a trait shared with later sophisticated APT frameworks like Flame and Project Sauron.
## Indicators of Compromise
- **File Names:** `fast16.sys`
- **Behavioral Indicators:**
- Manipulation of FPU (Floating Point Unit) state or results.
- Unexpected errors or "drift" in simulation results within LS-DYNA or PKPM environments.
- System instability on multi-core processors (as the tool was designed for single-core environments).
## Associated Threat Actors
- **The Shadow Brokers / Equation Group (Suspected):** The "fast16" name was referenced in the Equation Group leak (Shadow Brokers). The technical sophistication and targeting suggest a high-level nation-state actor focused on strategic sabotage.
## Detection Methods
- **Signature-based detection:** Scanning for the `fast16.sys` driver and associated Lua-based virtual machines.
- **Behavioral detection:** Monitoring for kernel-mode drivers that hook mathematical libraries or FPU operations.
- **Legacy System Auditing:** Deep inspection of legacy Windows XP environments still used in industrial control systems (ICS) or engineering labs.
## Mitigation Strategies
- **Software Integrity Checking:** Vendors of targeted engineering software (LS-DYNA, PKPM) should implement checksums and integrity checks for their calculation engines.
- **Air-Gapping & Hardening:** Isolate legacy systems used for high-precision modeling from the internet and removable media.
- **Migration:** Move high-precision engineering workloads to modern, multi-core 64-bit operating systems where the 2005-era FAST16 driver is incompatible.
## Related Tools/Techniques
- **Stuxnet:** While Stuxnet targeted PLC logic to destroy hardware, FAST16 targeted the *design* phase via simulation software to ensure hardware failed later.
- **Flame / Project Sauron / Animal Farm:** Shared commonality in using Lua-based virtual machines for complex tasks.
- **Equation Group Toolsets:** Direct naming references link FAST16 to this broader ecosystem of advanced offensive tools.