GoKawiilIn the history of state-sponsored hacking, the spectrum of cyber operations bent on sabotage have ranged from crude “wiper” attacks that destroy data on target computers to the legendary Stuxnet, a piece of malware the US and Israel first deployed in Iran in 2007 to silently accelerate the spinning of nuclear enrichment centrifuges until they destroyed themselves. Now researchers have discovered another chapter in that decades-long evolution of cybersabotage techniques: a 21-year-old specimen of malware capable of tampering with research and engineering software to undetectably sow mayhem—one that may have been used in Iran, even before Stuxnet.
Vitaly Kamluk and Juan Andrés Guerrero-Saade, two researchers from the cybersecurity firm SentinelOne, on Thursday revealed a breakthrough in the mystery of a piece of malware known as Fast16, a piece of code whose purpose has eluded the cybersecurity world since its existence was first revealed in an NSA leak in 2017. The SentinelOne researchers have now reverse-engineered the Fast16 code, which they say dates back to 2005 and was likely created by either the US government or one of its allies.
Kamluk and Guerrero-Saade have determined that the Fast16 malware was designed to carry out the most subtle form of sabotage ever seen in an in-the-wild malware tool: By automatically spreading across networks and then silently manipulating computation processes in certain software applications that perform high-precision mathematical calculations and simulate physical phenomena, Fast16 can alter the results of those programs to cause failures that range from faulty research results to catastrophic damage to real-world equipment.
“It focuses on making slight alterations to these calculations so that they lead to failures—very subtle ones, perhaps not immediately apparent. Systems might wear out faster, collapse, or crash, and scientific research could yield incorrect conclusions, potentially causing serious harm,” says Kamluk, who along with Guerrero-Saade will present their Fast16 findings at the cybersecurity conference Black Hat Asia in Singapore. “It is a nightmare, to be honest.”
In their analysis of Fast16, Kamluk and Guerrero-Saade found three potential types of physical simulation software that the malware might have been designed to tamper with: Modelo Hidrodinâmico (or MOHID) software created by Portuguese developers for modeling water systems; Chinese construction engineering software known as PKPM; and, perhaps most significantly, the physical simulation software LS-DYNA, an application originally created by scientists who had worked at US Lawrence Livermore National Laboratory, which is now used in modeling everything from collisions between birds and airplanes to the tensile strength of crane components.
Among all those possibilities, Kamluk and Guerrero-Saade point to evidence for one theory in particular: LS-DYNA was also used by Iranian scientists carrying out research that may have contributed to its nuclear weapons program, according to the Institute for Science and International Security. That institute also noted that the software can be used for modeling physics problems related to nuclear weapons research such as the interaction of metals in a nuclear weapon and the impact of a ballistic missile's reentry into the Earth's atmosphere on a nuclear warhead.
All of that suggests that Fast16 might have been used in the mid-2000s specifically to subvert Iran's attempt to gain nuclear weapons, perhaps even years before Stuxnet was deployed to achieve the same result through a more direct form of sabotage, as part of a joint program carried out by the NSA and Israel's Unit 8200 hackers known as Olympic Games.
“It's not beyond the pale that what we're looking at is an early predecessor to Olympic Games. It fits the bill, right?” says Guerrero-Saade. “We want to be good, objective researchers, but this is really not a stretch.”