Security researchers have uncovered a cyber-sabotage platform that predates Stuxnet by at least half a decade. Sentinel Labs has published a blog on their fast16 revelations, discussing the scope of this state-level tool, which targets select high-precision calculation software, slyly introducing inaccuracies. Investigations suggest that fast16 was used to make key calculations in software used for projects involving nuclear reactors, dam design, and broader physics simulations, subtly but reproducibly erroneous.
“*** Nothing to see here – carry on ***”
The security researchers, including Vitaly Kamluk & Juan Andrés Guerrero-Saade, found fast16 based on an architectural hunch. As a number of high-tier threats in this category were built on an embedded Lua virtual machine, they decided to see if there were traces of earlier Lua VM tools.
A file called svcmgmt.exe, which was uploaded to VirusTotal nearly a decade ago, would be a key link. This ‘unremarkable’ file was a 2005 file that was indeed a “Lua-powered service binary.” However, “it still receives almost no detections: one engine classifies it as generally malicious, and even that with limited confidence,” note the security researchers.
How fast16 was delivered
The aforementioned svcmgmt.exe acts as a carrier worm for delivering the fast16.sys kernel driver. It is surprisingly stealthy for a tool of its age. For example, it would check the machine registry for signs of malware monitoring tools from companies like Symantec, TrendMicro, McAfee, etc., to decide whether to abort or to deploy.
Spreading of fast16 would occur via wormlets propagating through Windows service control and file-sharing APIs. This version of fast16 targeted Windows 2000 and Windows XP environments and preyed on default and weak admin passwords on file shares.
The prime targets of fast16
Fast16 was designed to corrupt floating-point calculations in a subtle, predictable, reproducible way. It would seek out executable files, and in particular, EXEs that had been compiled with the Intel C/C++ compiler.
The corruption of output from targeted executables was controlled in such a way that fast16 would introduce “small but systematic errors into physical‑world calculations.” In effect, engineering projects based on these calculations may degrade more quickly than expected “or even contribute to catastrophic damage,” note the researchers.
In the Sentinel Labs blog, three era-appropriate software packages were specifically named as targets of fast16.
LS‑DYNA 970 (crash/explosion simulations; typically used in nuclear-related modeling)
PKPM (Chinese structural engineering suite, used to design expansive infrastructure projects)
MOHID (Portuguese hydrodynamic environmental modeling software)
Other infected machines using the same software, doing the same calculations, would get the same subtly erroneous results.
What else is out there?
Fast16 is a rather momentous discovery that indicates state-grade cyber sabotage existed in the mid-noughties, predating the discovery of Stuxnet by at least five years.
The lineage of fast16 may be much longer and deeper in history, though. Some strings in the malware files have fingerprints from Cold War-era Unix systems. These are basically fossilized traces of software revision control systems dating back to the 1970s and 80s.
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
