### Fast16: A Pre-Stuxnet Sabotage Tool According to **Symantec** and **Carbon Black**, both now part of **Broadcom**, the *fast16* malware was engineered to corrupt uranium-compression simulations. These simulations are critical to nuclear weapon design. "Fast16's hook engine is selectively interested in high-explosive simulations inside **LS-DYNA** and **AUTODYN**," the Threat Hunter Team said. "The malware checks for the density of the material being simulated and only acts when that value passes 30 g/cm³, the threshold uranium can only be reached under the shock compression of an implosion device." ### SentinelOne's Initial Analysis Earlier analysis by **SentinelOne** described *fast16* as a pioneering sabotage framework. Its components may have been developed as early as 2005, preceding the earliest known version of Stuxnet (aka Stuxnet 0.5) by two years. Evidence unearthed by SentinelOne included a reference to the string "fast16" in a text file. This file was leaked in 2017 by **The Shadow Brokers**, an anonymous hacking group. The leaked file was part of a massive trove of hacking tools and exploits allegedly used by the **Equation Group**, a state-sponsored threat actor with suspected ties to the U.S. **National Security Agency (NSA)**. ### Malware Functionality At its core, the industrial sabotage malware employs 101 rules to manipulate mathematical calculations performed by specific engineering and simulation programs prevalent at the time. While the exact patched binaries remain unclear, SentinelOne identified three probable candidates: LS-DYNA version 970, Practical Structural Design and Construction Software (**PKPM**), and Modelo Hidrodinâmico (**MOHID**). Symantec's recent analysis confirms that LS-DYNA and AUTODYN were indeed targeted by *fast16*. The malware was specifically designed to interfere with simulations of high-explosive detonations, aimed at sabotaging nuclear weapons research. "Both are software applications used to simulate real-world problems such as vehicle crashworthiness, material modelling, and explosive simulation," Symantec and Carbon Black stated. "The hooks fast16 places inside of the simulation program consist of three attack strategies. The tampering only activates during full-scale transient blast and detonation runs." ### Sophisticated Targeting The 101 hook rules are further categorized into 9-10 hook groups, each targeting different builds of LS-DYNA or AUTODYN. This suggests the malware developers tracked software updates and added support for different versions over time, indicating a methodical and sustained operation. "If hook rule groups were added sequentially as needed, we see a hook group added for a previous version of the software after a newer version," researchers explained. "One may imagine, the simulation user reverted to an older version when faced with the anomaly, before that version was also targeted. Secondly, the hook groups represent up to 10 different versions of simulation software, meaning the simulation user updates versions semi-frequently." ### Evasion and Propagation *Fast16* is designed to avoid infecting computers with specific security products installed. It also automatically spreads to other endpoints on the same network, ensuring that any machine running the simulations generates the same tampered outputs. These findings highlight that strategic industrial sabotage using malware occurred as early as 20 years ago, predating the use of Stuxnet to damage uranium enrichment centrifuges at Iran's Natanz nuclear plant via malicious code injected into **Siemens** programmable logic controllers. Speaking to cybersecurity journalist **Kim Zetter**, **Vikram Thakur**, technical director for Symantec, commented on the expertise required to design such malware in 2005 as "mind-blowing." It remains unknown whether a modern-day version of *fast16* exists in the wild. "That degree of domain knowledge, such as understanding which EOS [Equation of State] forms matter, which calling conventions are produced by which compilers, and which classes of simulation will or will not trip the gate, is unusual in any era and was very unusual in 2005," Symantec and Carbon Black said. "The framework belongs to the same conceptual lineage as Stuxnet, in which malware was tailored not just to a vendor's product but to a specific physical process being simulated or controlled by that product."