Cybersecurity researchers at SentinelOne have unmasked a 21-year-old malware specimen capable of silently corrupting high-precision engineering calculations, a discovery that rewrites the timeline of state-sponsored cyber sabotage. The malware, known as Fast16, predates the famous Stuxnet attack and was likely designed to cause catastrophic equipment failures or faulty research results. Vitaly Kamluk, a SentinelOne researcher, called the tool's subtle manipulation of physical simulations a "nightmare."
The code first surfaced in a 2017 NSA leak by the Shadow Brokers group. It was listed in a tool called Territorial Dispute, which helped NSA operators avoid conflicts with friendly hacking operations. For Fast16, the instruction was blunt: "NOTHING TO SEE HERE—CARRY ON." That directive, researchers speculated, meant the malware belonged to the US or an ally.
Nobody knew what it did. The Shadow Brokers leak contained no actual Fast16 file. That changed in 2019.
Juan Andrés Guerrero-Saade, now at SentinelOne, found a sample hidden in VirusTotal, Google's malware repository. It was disguised as a harmless application called svcmgmt.exe. Inside sat a kernel driver, Fast16.sys, compiled in 2005.
The file sat there, its purpose a mystery. For seven more years, the mystery held. Most analysts assumed it was a rootkit, a stealthy spying tool.
They were wrong. Three months ago, Kamluk decided to test his reverse-engineering skills against artificial intelligence tools. He made a surprising discovery.
Fast16 was not a rootkit. Five top AI tools incorrectly said it was. Kamluk found something far more sinister.
The malware contained a self-spreading "wormlet" that copied itself across Windows networks. It checked for security software. If the coast was clear, it installed its kernel driver.
That driver then monitored a computer's memory for specific target applications. When it found one, it did not steal data. It silently altered the software's mathematical calculations.
The alterations were imperceptible. A simulation of water flow. A stress test on a crane component.
The collision of a bird and an airplane. Fast16 could tweak the results just enough to cause a failure—perhaps not immediately, but eventually. A bridge design that looked sound on screen.
A centrifuge that spun slightly too fast. "Systems might wear out faster, collapse, or crash," Kamluk said. Guerrero-Saade and Kamluk identified three potential software targets. One was MOHID, a Portuguese water-modeling system.
Another was PKPM, a Chinese construction engineering application. The third, and most significant, was LS-DYNA. This physical simulation software, originally created by scientists at the US Lawrence Livermore National Laboratory, models everything from car crashes to nuclear weapon components.
LS-DYNA was used by Iranian scientists. The Institute for Science and International Security documented this research, which may have contributed to Iran's nuclear weapons program. One study used LS-DYNA to compare explosives, including Octol, a key component of Iran's AMAD nuclear project.
That project was the target of the Olympic Games operation, a joint US-Israeli effort that deployed Stuxnet. The timeline is striking. Fast16 was compiled in 2005.
Stuxnet was first deployed around 2007. "It's not beyond the pale that what we're looking at is an early predecessor to Olympic Games," Guerrero-Saade said. "It fits the bill, right?"
Thomas Rid, director of the Alperovitch Institute for Cybersecurity Studies at Johns Hopkins University, said the finding rewrites history. "Deceptive sabotage operations have been part of the cyber playbook from much earlier than we thought," Rid said. "They were much stealthier than we understood."
The stealth was built into the worm's design. The spreading mechanism ensured that if a scientist double-checked a flawed simulation on another lab computer, that machine would confirm the erroneous result. The deception became self-reinforcing.
A faulty conclusion looked like verified truth. Costin Raiu, a researcher at TLP:Black who previously led early Stuxnet analysis at Kaspersky, expressed "medium-high confidence" that Fast16 targeted Iran's AMAD project. "This is another dimension of cyberattacks, another way to wage this cyberwar against Iran's nuclear program," Raiu said. The malware's code contains a version control system.
Clues suggest the analyzed sample was not the first or only version. Guerrero-Saade noted that North Korea's nuclear program also suffered unexplained failures during the same period. He drew no conclusions but said, "With this level of development, they didn't make this to run it just one time."
Synopsys, the California company that now maintains LS-DYNA, declined to comment. The developers of MOHID and the China Academy of Building Research, which develops PKPM, did not respond to requests for comment. Neither the NSA nor the Office of the Director of National Intelligence responded.
The discovery raises an unsettling question. For any past engineering disaster, a plane crash, a bridge collapse, a train derailment—was there a cyber angle? "You don't want to nurture these fears, but it naturally comes up," Kamluk said. Rid offered a narrow reassurance.
Fast16's two-decade invisibility suggests it was used against very few targets. Most computers can be trusted. But for a high-value target like a nuclear program, the implications are chilling. "You could never trust your computers," Rid said.
Why It Matters: The Fast16 revelation extends the known history of cyber-physical sabotage by years, proving that state actors possessed the capability to silently corrupt critical engineering data long before Stuxnet. For nations developing sensitive infrastructure or weapons programs, the discovery means that decades of simulation results may need re-examination. For the cybersecurity industry, it exposes a blind spot: the assumption that sophisticated malware is designed to spy or destroy, not to quietly lie. - A 2005-vintage malware called Fast16 silently manipulated engineering and physics simulations to cause subtle, catastrophic failures. - The code predates Stuxnet and may represent an early phase of the US-Israeli Olympic Games sabotage operation. - The malware's design made its deceptions self-confirming, as it spread to other lab computers to validate false results.
The SentinelOne researchers will present their full findings at the Black Hat Asia conference in Singapore. The presentation will likely intensify scrutiny on other long-undetected malware samples sitting in archives like VirusTotal. Kamluk and Guerrero-Saade's work also serves as a proof of concept for a new generation of threat hunting: revisiting old, misclassified code with fresh eyes.
The next mystery sample may already be waiting.
Key Takeaways
— - A 2005-vintage malware called Fast16 silently manipulated engineering and physics simulations to cause subtle, catastrophic failures.
— - Researchers found evidence linking the malware to LS-DYNA software used by Iranian scientists in nuclear weapons research.
— - The code predates Stuxnet and may represent an early phase of the US-Israeli Olympic Games sabotage operation.
— - The malware's design made its deceptions self-confirming, as it spread to other lab computers to validate false results.
Source: Wired
