How a Pre‑2005 Cyber Weapon Could Sabotage High‑Precision Scientific Software

Researchers discovered a network weapon dubbed fast16 , developed before 2005, capable of injecting subtle systematic errors into high‑precision mathematical calculations, thereby degrading scientific and engineering software.

SentinelOne analysts, led by Vitaly Kamluk, explain that fast16 predates Stuxnet by at least five years and represents the earliest known malware designed to corrupt state‑important high‑cost, high‑precision workloads such as advanced physics, cryptography, and nuclear research.

The weapon was uncovered accidentally while tracing the earliest Windows malware that embedded a Lua virtual machine. Prior observations of Lua use in complex malware (Flame, Flame 2.0, PlexingEagle, Project Sauron) guided the search.

Code analysis shows components dating to 2005, making fast16 the first Lua‑based worm targeting high‑precision computation software. Its name appears in the 2016 ShadowBrokers leak of NSA weapon documents, though attribution remains unclear.

Fast16’s payload introduces minute systematic errors that are virtually invisible unless results are re‑computed on a clean system. It spreads like a “cluster bomb”, deploying multiple wormlets that exploit vulnerabilities to reach many machines.

The researchers identified three likely target suites: LS‑DYNA 970, PKPM, and the MOHID hydrodynamic modeling platform, all used for crash testing, structural analysis, and environmental modeling. Reports suggest Iran used LS‑DYNA in nuclear‑related modeling, implying possible pre‑Stuxnet interest.

While it is unknown whether any nation‑state has deployed fast16, the authors argue that modifying high‑precision simulation software exceeds ordinary developer capabilities and likely requires deep domain expertise, pointing to a state‑level actor.

Fast16 runs only on single‑processor Windows XP systems, environments now largely obsolete, which limits its effectiveness today. Nevertheless, the underlying attack vector—subtle corruption of high‑precision calculations—remains relevant for modern domains such as financial trading, AI model training, and simulation software.

SentinelOne has released detection rules for legacy systems and archives, and emphasizes that uncovering fast16 highlights a novel class of cyber‑destructive techniques.

Source: 安全内参 (darkreading.com)