The Fast16 virus was pretending to be Windows and changed the laws of physics on graphs.
Fast16 looks like one of the most unusual examples of digital sabotage: the malware did not break the equipment and did not disable computers, but quietly replaced the data in the calculations on which the fate of the nuclear program could depend.
Symantec confirmed that Fast16 was created to interfere with the LS-DYNA and AUTODYN programs. These systems are used for complex modeling, for example, car accidents, behavior of materials during impact, explosions and other processes with sharp loads. In the case of Fast16, the goal was already: the program worked during the simulation of a nuclear explosion and changed the indicators so that engineers saw the wrong results.
According to Symantec, the malicious code was waiting for the calculation to approach the key stage associated with the compression of the uranium nucleus. When the density of the material reached 30 g/cm3, Fast16 began to understate individual values, including pressure. On the graphs, this result could look plausible, but pushed engineers to conclude that the test failed and the desired state was not achieved.
The likely target of the attack was Iran’s nuclear program. Such a conclusion is indicated by the timing, the emphasis on uranium, the nature of the simulation and the set of programs that could be used in Iran in the mid-2000-ies. Nuclear specialist David Albright of the Institute of Science and International Security believes that Fast16 could disrupt or slow down the work on nuclear weapons calculations.
Fast16 is compared to Stuxnet, but the malware approach varied. Stuxnet intervened in the work of the centrifuges for uranium enrichment and showed the operators false data while the equipment was not working properly. Fast16 did not attack physical installations, but undermined trust in calculations. The goal could be to ensure that engineers would waste time, change parameters, argue about the causes of errors and again received distorted results.
The Fast16 code found support for several versions of LS-DYNA and AUTODYN. Symantec believes that the authors added such support gradually, possibly tracking what versions the goal used. If engineers have encountered strange results and switched to another version of the program, the malicious code could adapt to it.
Fast16 also spread within the local network, but was designed to avoid going beyond. Before installation, the malware checked the presence of 18 protective products and refused to infect the system if it found one of them. After installing Fast16, he disguised as a Windows system service, introduced the driver and intercepted the launch of the necessary programs.
Symantec estimates that Fast16 required a rare combination of knowledge. The authors had to understand not only Windows and methods of secretive installation, but also the internal structure of specialized calculation programs, the physics of explosion, models of behavior of materials and parameters that need to be changed so that the substitution does not catch the eye.
Fast16 first surfaced after a US National Security Agency’s vulnerability leaks released by Shadow Brokers in 2017. The sample itself was later found on VirusTotal, where it went unnoticed for a long time. SentinelOne was the first to publicly disassemble Fast16, and Symantec’s new work confirmed that the program was indeed targeted at LS-DYNA and AUTODYN and could be used against nuclear-related calculations.
Who exactly created the Fast16 is officially unknown. But time-coincidence with Stuxnet and the nature of the target indicate that Fast16 could be part of a broader campaign by the U.S., Israel or its allies to slow down the Iranian nuclear program.
Fast16 looks like one of the most unusual examples of digital sabotage: the malware did not break the equipment and did not disable computers, but quietly replaced the data in the calculations on which the fate of the nuclear program could depend.
Symantec confirmed that Fast16 was created to interfere with the LS-DYNA and AUTODYN programs. These systems are used for complex modeling, for example, car accidents, behavior of materials during impact, explosions and other processes with sharp loads. In the case of Fast16, the goal was already: the program worked during the simulation of a nuclear explosion and changed the indicators so that engineers saw the wrong results.
According to Symantec, the malicious code was waiting for the calculation to approach the key stage associated with the compression of the uranium nucleus. When the density of the material reached 30 g/cm3, Fast16 began to understate individual values, including pressure. On the graphs, this result could look plausible, but pushed engineers to conclude that the test failed and the desired state was not achieved.
The likely target of the attack was Iran’s nuclear program. Such a conclusion is indicated by the timing, the emphasis on uranium, the nature of the simulation and the set of programs that could be used in Iran in the mid-2000-ies. Nuclear specialist David Albright of the Institute of Science and International Security believes that Fast16 could disrupt or slow down the work on nuclear weapons calculations.
Fast16 is compared to Stuxnet, but the malware approach varied. Stuxnet intervened in the work of the centrifuges for uranium enrichment and showed the operators false data while the equipment was not working properly. Fast16 did not attack physical installations, but undermined trust in calculations. The goal could be to ensure that engineers would waste time, change parameters, argue about the causes of errors and again received distorted results.
The Fast16 code found support for several versions of LS-DYNA and AUTODYN. Symantec believes that the authors added such support gradually, possibly tracking what versions the goal used. If engineers have encountered strange results and switched to another version of the program, the malicious code could adapt to it.
Fast16 also spread within the local network, but was designed to avoid going beyond. Before installation, the malware checked the presence of 18 protective products and refused to infect the system if it found one of them. After installing Fast16, he disguised as a Windows system service, introduced the driver and intercepted the launch of the necessary programs.
Symantec estimates that Fast16 required a rare combination of knowledge. The authors had to understand not only Windows and methods of secretive installation, but also the internal structure of specialized calculation programs, the physics of explosion, models of behavior of materials and parameters that need to be changed so that the substitution does not catch the eye.
Fast16 first surfaced after a US National Security Agency’s vulnerability leaks released by Shadow Brokers in 2017. The sample itself was later found on VirusTotal, where it went unnoticed for a long time. SentinelOne was the first to publicly disassemble Fast16, and Symantec’s new work confirmed that the program was indeed targeted at LS-DYNA and AUTODYN and could be used against nuclear-related calculations.
Who exactly created the Fast16 is officially unknown. But time-coincidence with Stuxnet and the nature of the target indicate that Fast16 could be part of a broader campaign by the U.S., Israel or its allies to slow down the Iranian nuclear program.
