New analysis of the Lua-based fast16 malware confirms that it is a cyber-jamming tool designed to tamper with nuclear weapons test simulations.
The Broadcom-owned Symantec and Carbon Black teams say tools before Stuxnet were designed to subvert uranium compression simulations, which are central to nuclear weapons design.
“Fast16’s hook engine is selectively interested in explosives simulation within LS-DYNA and AUTODYN,” said the Threat Hunter team. “The malware checks the density of the material being simulated and operates only if its value exceeds 30 g/cm3. Uranium reaches the threshold only under impact compression in an implosion device.
This development comes weeks after SentinelOne published an analysis of fast16, which describes fast16 as an original jamming framework whose components may have been developed as early as 2005, two years before the earliest known version of Stuxnet (also known as Stuxnet 0.5).
Evidence unearthed by the cybersecurity firm included a reference to the string “fast16” in a text file leaked in 2017 by an anonymous hacker group called The Shadow Brokers. The file was part of a vast array of hacking tools and exploits allegedly used by Equation Group, a state-sponsored threat actor with suspected ties to the US National Security Agency (NSA).
At its core, this industry-disrupting malware contained a set of 101 rules for tampering with the mathematical calculations performed by certain engineering and simulation programs that were popular at the time. Although the exact binaries patched by this malware are unknown, SentinelOne has identified three possible candidates: LS-DYNA version 970, Practical Structural Design and Construction Software (PKPM), and Modelo Hidrodinâmico (MOHID).
Symantec’s latest analysis confirms that LS-DYNA and AUTODYN are two of the applications targeted by fast16, adding that the applications are apparently designed to interfere with the simulation of high-explosive grenade explosions, and are almost certainly designed to facilitate sabotage against nuclear weapons research.
“Both are software applications used to simulate real-world problems such as vehicle crash safety, materials modeling, and explosion simulation,” Symantec and Carbon Black said in a statement. “The high-speed 16 hooks in the simulation program consist of three attack strategies: Tampering is only effective during full-scale temporary explosions and detonation runs.”
The 101 hook rules can be further divided into 9-10 hook groups, each targeting a different build of LS-DYNA or AUTODYN, suggesting that the malware developers were tracking software updates and adding support for different versions over time. This shows systematic and continuous operation.
“If hook rule groups were added sequentially as needed, then hook groups would have been added to the previous version of the software after the new version,” the researchers explained.
“As you might imagine, simulation users would revert to an older version when faced with an anomaly before that version was also targeted. Second, hook groups represent up to 10 different versions of the simulation software, meaning simulation users update versions semi-frequently.
Fast16 is designed to not infect computers that have certain security products installed. It also automatically spreads to other endpoints on the same network, so the machines used to run the simulation produce the same tampered output.
The findings show that strategic industrial sabotage using malware was carried out by nation-state actors two decades ago, long before Stuxnet was used to damage uranium enrichment centrifuges at Iran’s Natanz nuclear power plant by injecting malicious code into Siemens programmable logic controllers.
In an interview with cybersecurity journalist Kim Zetter, Symantec technical director Vikram Thakur said in 2005 that the level of expertise required to design such malware was “astounding.” However, it is unclear whether a modern version of fast16 actually exists.
“This level of domain knowledge, such as understanding which EOS formats are important, which calling conventions are generated by which compilers, and which classes of simulations will or will not pass through gates, is rare in any era, and was extremely rare in 2005,” Symantec and Carbon Black said.
“This framework belongs to the same conceptual family as Stuxnet, and the malware is tailored not only to a vendor’s product, but also to the specific physical processes that are simulated or controlled by that product.”
Source link
