Pre-Stuxnet Sabotage Malware Fast16 Confirmed as Nuclear Weapons Simulation Tampering Tool Dating Back to 2005
Symantec and Carbon Black have published a definitive analysis confirming that Fast16, a Lua-based malware framework first surfaced by SentinelOne weeks ago, was purpose-built to sabotage nuclear weapons testing simulations. The findings establish Fast16 as the earliest known cyber sabotage tool targeting nuclear weapons research — predating the first known version of Stuxnet by approximately two years, with components potentially dating back to 2005.
The malware targeted two specific engineering simulation applications: LS-DYNA and AUTODYN, both widely used for simulating real-world physics problems including vehicle crashworthiness, material modeling, and explosive detonation. Fast16's hook engine was selectively designed to interfere only with high-explosive simulations, checking the density of the material being simulated and activating only when that value exceeded 30 g/cm³ — a threshold that uranium can only reach under the shock compression conditions of a nuclear implosion device.
The framework contained 101 hook rules organized into 9-10 groups, each targeting different builds and versions of LS-DYNA or AUTODYN. This versioning pattern indicates the operators were methodically tracking software updates at the target facility and adding support as new versions were deployed. Researchers noted evidence suggesting that when the simulation user reverted to an older software version after encountering anomalies, that version was subsequently targeted as well — pointing to sustained, adaptive operational management.
The tampering employed three distinct attack strategies that only activated during full-scale transient blast and detonation simulation runs. The malware automatically propagated to other endpoints on the same network, ensuring that any machine used to run simulations would produce the same corrupted outputs — making the sabotage consistent and far harder to detect through cross-validation.
Fast16 was also designed to avoid detection by checking for the presence of certain security products before infecting a system. A reference to "fast16" was found in files leaked by The Shadow Brokers in 2017, within a tranche of hacking tools attributed to the Equation Group — a state-sponsored threat actor with suspected ties to the NSA.
Symantec's technical director Vikram Thakur described the level of domain expertise embedded in the malware as "mind-blowing" for 2005. The developers understood which equation-of-state forms were relevant, which calling conventions specific compilers produced, and which simulation classes would or would not trigger the activation gate. That degree of physics and software engineering knowledge combined in a single malware framework was exceptionally rare for the era.
The researchers drew a direct lineage to Stuxnet: both frameworks were tailored not just to a vendor's product but to the specific physical process being simulated or controlled. Where Stuxnet targeted uranium enrichment centrifuges at Iran's Natanz facility through Siemens PLCs, Fast16 targeted the computational modeling that underpins nuclear warhead design itself.
It remains unknown whether a modern successor to Fast16 exists in the wild.
Significance:
This disclosure rewrites the timeline of nation-state cyber sabotage. Strategic industrial tampering using malware was being conducted against nuclear weapons programs at least 20 years ago — well before Stuxnet became the public reference point for state-sponsored cyber-physical attacks. The sophistication of targeting specific physics thresholds within simulation software demonstrates a fusion of signals intelligence, domain expertise, and offensive cyber capability that has significant implications for how we understand the history of cyber warfare and the protection of scientific computing environments in sensitive research facilities.
