Newly Deciphered Malware Targeted Iran’s Nuclear Program Before Stuxnet

In the long and shadowy history of state-sponsored hacking, cyber operations designed for sabotage have ranged from crude “wiper” attacks that obliterate data to the legendary Stuxnet, a precision weapon deployed by the US and Israel in 2007 to secretly destroy Iran’s nuclear centrifuges. Now, cybersecurity researchers have uncovered an earlier chapter in that evolution: a 21-year-old malware specimen capable of subtly tampering with engineering software, potentially used against Iran before Stuxnet ever existed.

On Thursday, Vitaly Kamluk and Juan Andrés Guerrero-Saade, researchers from the cybersecurity firm SentinelOne, announced a major breakthrough in understanding a mysterious piece of malware known as Fast16. Its purpose had baffled experts since its existence was first revealed in an NSA leak in 2017. After painstaking reverse-engineering, the researchers now believe Fast16 dates back to 2005 and was likely created by the US government or one of its allies.

The SentinelOne team has determined that Fast16 was designed to execute the most subtle form of sabotage ever seen in a live malware tool. It spreads automatically across networks, then silently manipulates computational processes in software used for high-precision mathematical calculations and physical simulations. By altering the results of these programs, Fast16 can cause failures ranging from flawed research conclusions to catastrophic damage to real-world equipment.

“It focuses on making slight alterations to these calculations so that they lead to failures,very subtle ones, perhaps not immediately apparent. Systems might wear out faster, collapse, or crash, and scientific research could yield incorrect conclusions, potentially causing serious harm,” Kamluk explains. He and Guerrero-Saade will present their findings at the Black Hat Asia cybersecurity conference in Singapore. “It is a nightmare, to be honest.”

In their analysis, the researchers identified three types of physical simulation software that Fast16 may have been designed to target: MOHID (Modelo Hidrodinâmico), a Portuguese water systems modeling tool; PKPM, Chinese construction engineering software; and, most significantly, LS-DYNA, an application originally developed by scientists from the US Lawrence Livermore National Laboratory. LS-DYNA is used to model everything from bird strikes on airplanes to the tensile strength of crane components.

Kamluk and Guerrero-Saade point to compelling evidence that LS-DYNA was also used by Iranian scientists conducting research possibly linked to its nuclear weapons program, according to the Institute for Science and International Security. The institute noted that LS-DYNA can model physics problems critical to nuclear weapons development, such as the interaction of metals in a nuclear device or the effects of a ballistic missile reentering Earth’s atmosphere on a warhead.

This suggests that Fast16 may have been deployed in the mid-2000s to covertly sabotage Iran’s nuclear ambitions, years before Stuxnet took a more direct approach. It could have been part of the same joint US-Israeli operation known as Olympic Games, carried out by the NSA and Israel’s Unit 8200.

“It’s not beyond the pale that what we’re looking at is an early predecessor to Olympic Games. It fits the bill, right?” says Guerrero-Saade. “We want to be good, objective researchers, but this is really not a stretch.”