A new analysis of the Lua-based fast16 malware has confirmed that it was a cyber sabotage tool designed to tamper with nuclear weapons testing simulations.
According to Broadcom-owned Symantec and Carbon Black teams, the pre-Stuxnet tool was engineered to corrupt uranium-compression simulations that are central to nuclear weapon design.
“Fast16’s hook engine is selectively interested in high-explosive simulations inside LS-DYNA and AUTODYN,” the Threat Hunter Team said. “The malware checks for the density of the material being simulated and only acts when that value passes 30 g/cm³, the threshold uranium can only be reached under the shock compression of an implosion device.
The development comes weeks after SentinelOne presented an analysis of fast16, describing it as the first sabotage framework whose components may have developed as early as 2005, predating the earliest known version of Stuxnet (aka Stuxnet 0.5) by two years.
Evidence unearthed by the cybersecurity company included a reference to the string “fast16” in a text file that was leaked by an anonymous hacking group called The Shadow Brokers in 2017. The file was part of a huge tranche of hacking tools and exploits allegedly used by the Equation Group, a state-sponsored threat actor with suspected ties to the U.S. National Security Agency (NSA).
At its core, the industrial sabotage malware features a set of 101 rules to tamper with mathematical calculations carried out by certain engineering and simulation programs that were prevalent at the time. Although the exact binaries that are patched by the malware is unclear, SentinelOne identified three probable candidates: LS-DYNA version 970, Practical Structural Design and Construction Software (PKPM), and Modelo Hidrodinâmico (MOHID).
Symantec’s latest analysis has now confirmed that LS-DYNA and AUTODYN are the two applications targeted by fast16, adding it was designed explicitly to interfere with simulations of high-explosive detonations, almost certainly to facilitate sabotage against nuclear weapons research.
“Both are software applications used to simulate real-world problems such as vehicle crashworthiness, material modelling, and explosive simulation,” Symantec and Carbon Black said. “The hooks fast16 places inside of the simulation program consist of three attack strategies. The tampering only activates during full-scale transient blast and detonation runs.”
The 101 hook rules can be categorized further into 9-10 hook groups, each targeting different builds of LS-DYNA or AUTODYN, suggesting that the developers of the malware were keeping track of software updates and adding support for different versions over time. This points to a methodical and sustained operation.
“If hook rule groups were added sequentially as needed, we see a hook group added for a previous version of the software after a newer version,” researchers explained.
“One may imagine, the…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
