Fast16: High-precision software sabotage 5 years before Stuxnet

Sun, Apr 26 · 8:18 PM UTC 2 min read

Compiled by KHAO Editorial — aggregated from 1 outlet. See llms.txt for citation guidance.

◌ Single Source

Screenshot from Crysys Lab’s ShadowBrokers leak analysis paper.

Their investigation into fast16 starts with an architectural hunch.

Key facts

In April 2017, almost 12 years after the compilation timestamp, the same filename, “fast16” appeared in the ShadowBrokers leak
Flame, Animal Farm’s Bunny, ‘ PlexingEagle ’, Flame 2.0, and Project Sauron each built platforms around the extensibility and modularity of an embedded Lua VM
The driver is configured with Start=0 (boot) and Type=2 (filesystem driver) in the SCSI class group
Compiled bytecode containers start with the magic bytes 1B 4C 75 61 ( \x1bLua ), followed by a version byte, and the engine typically exposes a characteristic C API and environment variables such

Summary

SentinelLABS has uncovered a previously undocumented cyber sabotage framework whose core components date back to 2005, tracked as fast16. Fast16.sys selectively targets high-precision calculation software, patching code in memory to tamper with results. This 2005 attack is a harbinger for sabotage operations targeting ultra expensive high-precision computing workloads of national importance like advanced physics, cryptographic, and nuclear research workloads. Fast16 predates Stuxnet by at least five years, and stands as the first operation of its kind. The name ‘fast16’ is referenced in the infamous ShadowBrokers’ leak of NSA’s ‘Territorial Dispute’ components.

Read full article at Hacker News →