A disruptive malware called 'fast16' has been discovered that predates 'Stuxnet,' which was previously considered the world's first cyber weapon.



Stuxnet , reported in 2010, was malware created by the US National Security Agency (NSA) and Israeli intelligence agencies and used in cyberattacks targeting Iranian nuclear facilities. While Stuxnet has been called the world's first cyber weapon, cybersecurity firm SentinelOne has reported discovering 'fast16,' malware believed to have been developed by the US even before Stuxnet.

fast16 | Mystery ShadowBrokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet | SentinelOne
https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/

Pre-Stuxnet Sabotage Malware 'Fast16' Linked to US-Iran Cyber Tensions - SecurityWeek
https://www.securityweek.com/pre-stuxnet-sabotage-malware-fast16-linked-to-us-iran-cyber-tensions/

Stuxnet is a malware, considered the world's first cyber weapon, jointly developed by the NSA and Israeli intelligence agencies. It infects and harms industrial control systems. In a 2010 cyberattack on uranium enrichment centrifuges at an Iranian nuclear fuel facility, it reportedly rendered approximately 8,400 centrifuges inoperable.

It has also been reported that the attack on Iran's nuclear fuel facilities was carried out by infiltrating 'Dutch spies.'

Details reveal that cyberattacks on Iran's nuclear fuel facilities were carried out by infiltrating 'Dutch spies' - GIGAZINE



SentinelOne wasn't initially looking for malware that existed before Stuxnet; rather, it was searching for early examples of the lightweight scripting language Lua being used as an embedded engine in Windows malware.

As a result, a binary called 'svcmgmt.exe' dating back to 2005 was found, along with a Lua 5.0 virtual machine embedded within it. The virtual machine referenced a kernel driver called 'fast16.sys,' which not only controlled file system input and output but also included rule-based code patching capabilities suggesting state use.

The driver known as 'fast16' was reportedly mentioned in documents leaked in 2017 by The Shadow Brokers, a group of hackers linked to the NSA who stole classified information and hacking tools.

When comparing the patched patterns with the software used at the time, it was found that 'fast16' had a strong overlap with 'LS-DYNA 970' and 'PKPM,' high-precision engineering and simulation software that appeared in the mid-2000s, as well as the fluid dynamics modeling platform 'MOHID.'

These software programs were reportedly used for applications such as crash testing, structural analysis, and environmental modeling. In particular, 'LS-DYNA 970' was cited in computer modeling research related to Iran's nuclear weapons development.

'fast16' may have been designed to hijack or affect the execution flow of these software's high-precision computing tools. SentinelOne stated, 'This framework could introduce small but systematic errors into calculations of the physical world, potentially disrupting or delaying scientific research programs, degrading engineering systems over time, or even causing catastrophic damage.'



SentinelOne, which conducted the analysis, pointed out that 'fast16' is malware developed by a state several years before Stuxnet, and is a 'digital fossil' that offers insights into the history of cyber warfare. They argued that 'fast16 provides guidance on how highly capable entities think about long-term operations, sabotage, and the state's ability to reshape the physical world through software.'

Related Posts:

in Software,   Security, Posted by log1h_ik