Pre-Stuxnet fast16 malware corrupted nuclear test simulations

Broadcom-owned Symantec and Carbon Black analyzed the Lua-based fast16 malware and concluded it was built to corrupt simulations used in nuclear weapons testing. The teams found the code targeted LS-DYNA and AUTODYN and intervened only when simulated material density rose above 30 g/cm³, a level associated with uranium under shock compression.

Fast16 worked by inserting hooks into specific calculation routines inside the simulation programs. The malware contained 101 tampering rules organized into nine to ten groups. Those rules focused on full-scale transient blast and detonation runs and altered mathematical outputs for implosion-style tests.

Symantec and Carbon Black outlined three attack strategies embedded in the hooks. The code checked the simulated density value and modified results only when the threshold was exceeded, producing incorrect outputs for high-explosive detonation runs.

The teams found the hooks matched different software builds and versions, indicating the operators tracked updates and added compatibility for older releases. Earlier analysis by another cybersecurity firm identified three probable patched binaries, and Symantec’s follow-up confirmed LS-DYNA and AUTODYN as targets.

Fast16 included features to broaden its impact and reduce detection. It propagated automatically to other machines on the same network so multiple workstations running the simulations would yield the same corrupted results. It also avoided infecting systems that had certain security products installed.

Evidence linking fast16 to earlier activity includes a reference to the string “fast16” in a text file leaked by The Shadow Brokers in 2017. Analysts reported components of the framework may date to about 2005, roughly two years before the earliest known sample of Stuxnet.

Symantec and Carbon Black wrote, “Fast16’s hook engine is selectively interested in high-explosive simulations inside LS-DYNA and AUTODYN. The malware checks for the density of the material being simulated and only acts when that value passes 30 g/cm³, the threshold uranium can only be reached under the shock compression of an implosion device.”

Symantec technical director Vikram Thakur described the level of expertise required to design the tool in 2005 as “mind‑blowing.” The analysts said the framework shares conceptual similarities with earlier malware that targeted specific physical processes rather than just vendor software.

Researchers did not identify specific real-world attacks using fast16, and they do not know whether a modern variant exists in the wild.