Cybersecurity researchers at SentinelOne have uncovered a previously undocumented cyber sabotage framework dating back to 2005, known as 'fast16.'
According to a report from SentinelOne Labs, the framework was designed to selectively target high-precision calculation software. The malware patches code in memory to tamper with results, aiming to produce inaccurate calculations across entire facilities.
The discovery reveals that this sabotage operation predates the infamous Stuxnet attack by at least five years. The investigation also found that the use of an embedded, customized Lua virtual machine in fast16 predates the earliest known Flame malware samples by three years.
Researchers identified the framework through an architectural investigation into modern attack patterns. They discovered a 2005-era service binary, svcmgmt.exe, which utilized an embedded Lua 5.0 virtual machine and an encrypted bytecode container.
A link to the ShadowBrokers leak
The investigation uncovered a direct connection between the fast16 framework and the notorious ShadowBrokers leak. The name 'fast16' appears in the leaked NSA 'Territorial Dispute' components.
SentinelOne researchers noted a specific evasion signature within the leak that instructed operators: “fast16Nothing to see here – carry on”.
The researchers traced the binary to a kernel driver named fast16.sys. This driver is capable of targeting ultra-expensive, high-precision computing workloads, including research in advanced physics, cryptography, and nuclear science.
By combining the payload with self-propagation mechanisms, the attackers could ensure consistent, undetected errors in critical scientific data. The discovery suggests that highly sophisticated sabotage capabilities have been operational for nearly two decades.
