Cybersecurity researchers have found a brand new Lua-based malware created years earlier than the infamous Stuxnet worm that aimed to sabotage Iran’s nuclear program by destroying uranium enrichment centrifuges.
In keeping with a brand new report printed by SentinelOne, the beforehand undocumented cyber sabotage framework dates again to 2005, primarily concentrating on high-precision calculation software program to tamper with outcomes. It has been codenamed fast16.
“By combining this payload with self-propagation mechanisms, the attackers intention to supply equal inaccurate calculations throughout a whole facility,” researchers Vitaly Kamluk and Juan Andrés Guerrero-Saade mentioned in an exhaustive report printed this week.
Fast16 is estimated to predate Stuxnet – the world’s first identified digital weapon designed for disruptive actions – by not less than 5 years. Whereas Stuxnet is broadly attributed to the U.S. and Israel and later served because the architectural basis for the Duqu information-stealing rootkit, fast16 seems to have emerged a lot earlier.
It additionally precedes the earliest identified samples of Flame (aka Flamer and Skywiper), one other subtle malware that was found in Might 2012 incorporating a Lua digital machine to understand its targets. The invention makes fast16 the primary pressure of Home windows malware to embed a Lua engine.
SentinelOne mentioned it made the invention after it recognized an artifact named “svcmgmt.exe” that, at first blush, seemed to be a generic console‑mode service wrapper. The pattern has a file creation timestamp of August 30, 2005, per VirusTotal, to which it was uploaded greater than a decade in a while October 8, 2016.
Nevertheless, a deeper investigation has revealed an embedded Lua 5.0 digital machine and an encrypted bytecode container, together with numerous different modules that bind straight into Home windows NT file system, registry, service management, and community APIs.
The implant’s core logic resides within the Lua bytecode, with the binary additionally referencing a kernel driver (“fast16.sys“) by way of a PDB path – a file with a creation date of July 19, 2005 – that is chargeable for intercepting and modifying executable code because it’s learn from disk. That mentioned, it is price noting that the driving force won’t run on programs with Home windows 7 or later.
In what’s a discovering that might give a sign of the device’s origins, SentinelOne mentioned it uncovered a reference to the string “fast16” in a textual content file known as “drv_list.txt” that included an inventory of drivers designed to be used in superior persistent menace (APT) assaults. The almost 250KB file was leaked by a mysterious hacking group 9 years in the past.
In 2016 and 2017, the collective – calling itself The Shadow Brokers – printed huge troves of knowledge allegedly stolen from the Equation Group, a complicated persistent menace group with suspected ties to the U.S. Nationwide Safety Company (NSA). This included a bevy of hacking instruments and exploits underneath the nickname “Misplaced in Translation.” The textual content file was one in all them.
“The string inside svcmgmt.exe offered the important thing forensic hyperlink on this investigation,” SentinelOne mentioned. “The PDB path connects the 2017 leak of deconfliction signatures utilized by NSA operators with a multi-modal Lua‑powered ‘service’ module compiled in 2005, and finally its stealthy payload: a kernel driver designed for precision sabotage.”
“Svcmgmt.exe” has been described as a “extremely adaptable service module” that may alter its habits primarily based on the command-line arguments handed to it, enabling it to run as a Home windows service or execute Lua code. It comes with three distinct payloads: Lua bytecode to deal with configuration and propagation and coordination logic, an auxiliary ConnotifyDLL (“svcmgmt.dll“), and the “fast16.sys” kernel driver.
Particularly, it is designed to parse the configuration, escalate itself as a service, optionally deploy the kernel implant, and launch a Service Management Supervisor (SCM) wormlet that scans for community servers and propagates the malware to different Home windows 2000/XP environments with weak or default credentials.
An vital facet price mentioning right here is that the propagation solely happens when it is manually pressured, or frequent safety merchandise aren’t discovered on the system by scanning the Home windows Registry database for related registry keys. A number of the safety instruments it explicitly checks belong to Agnitum, F-Safe, Kaspersky, McAfee, Microsoft, Symantec, Sygate Applied sciences, and Pattern Micro.
The presence of Sygate Applied sciences is one other indicator that the pattern was developed within the mid-2000s, as the corporate was acquired by Symantec (now a part of Broadcom) in August 2005, and gross sales and assist for its merchandise had been formally discontinued by November.
“For tooling of this age, that degree of environmental consciousness is notable,” SentinelOne mentioned. “Whereas the record of merchandise might not appear complete, it probably displays the merchandise the operators anticipated to be current of their goal networks whose detection expertise would threaten the stealthiness of a covert operation.”
The ConnotifyDLL, alternatively, is invoked every time the system establishes a brand new community connection utilizing the Distant Entry Service (RAS), and writes the distant and native connection names to a named pipe (“.pipep577”).
Nevertheless, it is the driving force that is chargeable for the precision sabotage, concentrating on executables compiled with the Intel C/C++ compiler to carry out rule-based patching and hijack execution move by way of malicious code injections. One such block is able to corrupting mathematical calculations, particularly going after instruments utilized in civil engineering, physics, and bodily course of simulations.
“By introducing small however systematic errors into bodily‑world calculations, the framework may undermine or gradual scientific analysis packages, degrade engineered programs over time, and even contribute to catastrophic harm,” SentinelOne defined.
“By separating a comparatively secure execution wrapper from encrypted, task-specific payloads, the builders created a reusable, compartmentalized framework that they may adapt to completely different goal environments and operational aims whereas leaving the outer service binary largely unchanged throughout campaigns.”
Primarily based on an evaluation of the 101 guidelines outlined within the patching engine and matching them towards software program used within the mid-2000s, it is assessed that three high-precision engineering and simulation suites might have been the targets: LS-DYNA 970, PKPM, and the MOHID hydrodynamic modeling platform.
LS-DYNA, now a part of the Ansys Suite, is a general-purpose multi physics simulation software program package deal that is used for simulating crashes, impacts, and explosions. In September 2024, the Institute for Science and Worldwide Safety (ISIS) launched a report detailing Iran’s probably use of pc modeling software program like LS-DYNA associated to nuclear weapons growth primarily based on an examination of 157 tutorial publications present in open-source scientific and engineering literature.
This chain of proof assumes significance contemplating Iran’s nuclear program is claimed to have suffered substantial harm after its uranium enrichment facility in Natanz was focused by the Stuxnet worm in June 2010. What’s extra, Symantec revealed in February 2013 an earlier model of Scholar that was used to assault Iran’s nuclear program in November 2007, with proof indicating it was underneath growth as early as November 2005.
“Stuxnet 0.5 is the oldest identified Stuxnet model to be analyzed,” Symantec famous on the time. “Stuxnet 0.5 comprises an alternate assault technique, closing valves inside the uranium enrichment facility at Natanz, Iran, which might have triggered severe harm to the centrifuges and uranium enrichment system as a complete.”
Taken collectively, the newest discovering “forces a re‑analysis” of the historic timeline of growth for clandestine cyber sabotage operations, SentinelOne mentioned, including it exhibits state-backed cyber sabotage tooling towards bodily targets had been absolutely developed and deployed by the mid‑2000s.
“Within the broader image of APT evolution, fast16 bridges the hole between early, largely invisible growth packages and later, extra broadly documented Lua‑ and LuaJIT‑primarily based toolkits,” the researchers concluded. “It’s a reference level for understanding how superior actors take into consideration lengthy‑time period implants, sabotage, and a state’s capacity to reshape the bodily world by way of software program. fast16 was the silent harbinger of a brand new type of statecraft, profitable in its covertness till in the present day.”
