Cyber-Warfare

FAST16 Discovered: 2005 Sabotage Malware Predates Stuxnet by Five Years

The CyberSignal

The CyberSignal

3 min read
Share
Minimalist white line art of a mathematical formula where the "equals" sign is being replaced by a white "glitch" effect, overlaid on a solid Dark Grey background.

SentinelOne uncovers ShadowBrokers-referenced cyberweapon that silently corrupted engineering math; likely US/Israel operation against Iranian nuclear program.

SINGAPORE — Everything we knew about the origins of state-sponsored cyber-sabotage was just rewritten. Today, at Black Hat Asia 2026, SentinelOne researchers Vitaly Kamluk and Juan Andrés Guerrero-Saade unveiled FAST16, a precision-engineered malware sample dating back to 2005.

The discovery proves that high-precision digital sabotage was operational a full five years before Stuxnet crippled the Natanz centrifuges in 2010. While Stuxnet destroyed hardware, FAST16 did something far more insidious: it corrupted the very laws of physics within simulation software, rendering years of nuclear and structural research useless without the scientists ever knowing they were under attack.

Sabotage Timeline: 2001 – 2026
Year Event / Milestone
2001 Code Red / Nimda: Era of mass network disruption and worms.
2005 FAST16 Operational: Precision math sabotage targets Iran.
2010 Stuxnet: First public case of digital-to-physical hardware destruction.
2016 ShadowBrokers leak cryptic "fast16" references from NSA archives.
2026 SentinelOne reverse-engineers the 2005 sample, confirming origins.

The ShadowBrokers Clue: A Decade-Long Mystery

The trail for FAST16 began in 2016 with the infamous ShadowBrokers leak of NSA hacking tools. Among the exploits was a cryptic reference to "fast16" accompanied by the snarky note: "NOTHING TO SEE HERE - CARRY ON." For ten years, the cybersecurity community treated it as a footnote. However, after a 2016 VirusTotal upload was finally reverse-engineered using 2026-level forensic tools, SentinelOne identified the code as a driver-level rootkit (fast16.sys) designed specifically for Windows XP single-core systems — the standard infrastructure for high-precision engineering in the mid-2000s.

Sabotage Mechanism: The Floating-Point Strike

Unlike modern ransomware that encrypts files or wipers that delete data, FAST16 was designed for computation sabotage. It targeted specific high-end simulation suites, including:

  • LS-DYNA 970: Used for nuclear physics and crash testing.
  • PKPM: Standard software for civil engineering and structural integrity.
  • MOHID: Used for sophisticated water and fluid dynamics modeling.
FAST16 Target Analysis: High-Precision Suites
Software Suite Industry & Sabotage Impact
LS-DYNA 970 Nuclear/Defense: Corrupts physics simulations for detonation triggers.
PKPM Civil Engineering: Silently alters load-bearing structural calculations.
MOHID Physics: Manipulates fluid dynamics and water-modeling data.

The "Silent Math" Attack

The malware functions by altering the Floating Point Unit (FPU) output. When the target software performed a complex calculation, fast16.sys would intercept the result and introduce minute, non-linear errors.

  • The Result: A bridge design that looks perfect on screen but collapses in reality; a nuclear reaction model that produces "failed" results, leading researchers to abandon viable paths.
  • The Stealth: Because the software didn't crash and the files weren't altered, the research became a "faulty" foundation. This was pure epistemic sabotage.

Technical Breakdown: Air-Gaps and Origins

FAST16 utilized a sophisticated worm propagation technique designed to jump across air-gapped facilities, likely via infected USB drives — the same "Sneakernet" vector Stuxnet would perfect half a decade later.

Once inside the isolated environment, the malware's SCM (Service Control Manager) wormlet would deploy the carrier payload, initiating the stealth math corruption without ever needing a return connection to the outside world.

The CyberSignal Analysis: Strategic Signals

Signal 01 — The Iran Nuclear Nexus

Evidence heavily suggests FAST16 was a precursor to Olympic Games (the US/Israeli operation against Iran). LS-DYNA is the exact software used by Iranian scientists at the time to simulate nuclear triggers. By poisoning the math before they even built the hardware, the attackers ensured that the Iranian program would "fail" on paper, wasting years of high-cost research before Stuxnet arrived to finish the job.

Signal 02 — The Resurrection of Stealth Sabotage

The rediscovery of FAST16 is a reminder that the most dangerous nation-state attacks are those that don't make noise. While the world focuses on ransomware, the silent corruption of physics-based calculations remains a viable and terrifying threat to aerospace, medicine, and critical infrastructure.

Signal 03 — A Failure of Forensic History

The fact that a weaponized driver sat in plain sight for 21 years (and on VirusTotal for 10) illustrates a massive gap in historical cyber-forensics. As Iran, Russia, and China drive modern threats, we must wonder what other 20-year-old "stealth math" malware is still running in legacy industrial systems today.

Sources

Type Source
Research SentinelOne: FAST16 Discovery Report
Technical News The Register: Stuxnet’s Older Brother
Analysis Wired: Rewriting Cyber History
Intelligence SecurityWeek: US-Iran Cyber Tensions Link
Executive View LinkedIn: Tomer Weingarten on ShadowBrokers

Read more