Skip to main content
Emerging ThreatsMalware & Ransomware

Researchers Uncover Pre-Stuxnet Cyber-Sabotage Malware

A researcher examines computer equipment in a dimly lit, cluttered forensics lab.

"fast16 was the silent harbinger of a new form of statecraft, successful in its covertness until today," wrote Vitaly Kamluk with SentinelOne colleague Juan Andrés Guerrero‑Saade.

Vitaly Kamluk and SentinelOne at Black Hat Asia

Researchers from SentinelOne presented new analysis at the Black Hat Asia conference and published a companion blog post describing malware they call fast16. The discovery began when SentinelOne’s Vitaly Kamluk searched for Lua‑based toolkits after wondering whether earlier nation‑state espionage tools were the first examples of their kind. That search surfaced a malware sample uploaded to VirusTotal in 2016 containing a reference to “fast16,” which set the team on a path of forensic reconstruction and attribution.

fast16.sys: a driver built to skew calculations

SentinelOne’s analysis found the sample tries to install a worm and deploys a kernel driver named fast16.sys. The driver contains a routine that alters the output of floating‑point calculations and actively looks for "precision calculation tools in specialised domains such as civil engineering, physics and physical process simulations." Those capabilities indicate the malware’s designers intended to interfere with numerical results produced by engineering and simulation software.

Targets named: LS‑DYNA 970, PKPM, and MOHID

According to the researchers, fast16 appears to focus on three high‑precision engineering and simulation suites used in the mid‑2000s: LS‑DYNA 970, PKPM, and the MOHID hydrodynamic modeling platform. SentinelOne describes those packages as applied to scenarios like crash testing, structural analysis, and environmental modeling. The report also notes that "Iran is thought to have used LS‑DYNA in its nuclear weapons program."

Timeline and provenance: why SentinelOne dates fast16 to around 2005

SentinelOne places fast16’s origins roughly in 2005 based on multiple internal clues in the code and platform constraints. The sample will not run on anything newer than Windows XP and, the researchers say, functions only on a single‑core CPU — a relevant observation because Intel shipped its first multi‑core consumer CPUs in 2006. The team also found a reference to fast16 inside the ShadowBroker malware trove that surfaced in 2016. Combining those artifacts and platform limitations led the researchers to conclude that fast16 likely precedes more widely documented tools, and, in Kamluk’s words, "bridges the gap between early, largely invisible development programs and later, more widely documented Lua‑ and LuaJIT‑based toolkits."

Claim of precedence and the comparison to Stuxnet

Kamluk hypothesized that the malware’s purpose was to cause errors in calculations run by engineering simulation software, potentially producing real‑world consequences. He asserted that fast16 was a cyberweapon that preceded the Stuxnet worm by five years; the report points out that Stuxnet targeted Iran’s uranium enrichment centrifuges. SentinelOne frames fast16 as an early attempt at software‑driven sabotage, and as a reference point for how "advanced actors think about long‑term implants, sabotage, and a state’s ability to reshape the physical world through software."

What this means for vendors, simulation users, and security teams

  • Vendors of the named engineering applications: SentinelOne says it has disclosed findings to the vendors of LS‑DYNA 970, PKPM, and MOHID; the researchers urged vendors to check the output of their products for evidence that the malware produced incorrect calculations.
  • Simulation engineers and organizations that relied on mid‑2000s toolchains: teams running legacy simulations or preserving older output should treat past calculation results as potentially suspect where those tools match the fast16 search criteria.
  • Security operations and forensic teams: the presence of a worm installer and a kernel driver called fast16.sys provides concrete artifacts to hunt for in archives and endpoint telemetry, particularly on legacy Windows XP systems or archived disk images.

SentinelOne’s presentation closed with an appeal that echoes the technical urgency of the findings and the human cost of long investigations: Kamluk said he had disclosed the work to the affected vendors and asked, "Maybe there are more discoveries to come?" He also dedicated the talk to colleague Sergey Mineev, whom he credited with quietly finding significant APTs and who passed away in March.

The fast16 analysis raises a specific, evidence‑based question: if a kernel driver was designed to manipulate floating‑point outputs against targeted simulation packages more than two decades ago, how many other covert efforts to weaponize numerical software remain buried in archives or unlabeled samples? SentinelOne’s public disclosure and the artifacts it points to give defenders concrete leads — and a reminder that the digital traces of statecraft can be subtle and long‑lived.

Original story: Researchers find cyber‑sabotage malware that may predate Stuxnet by five years (The Register)