SentinelOne Uncovers Fast16: A 2005 Sabotage Malware That Predates Stuxnet
Researchers at SentinelOne have identified Fast16, a previously unknown malware family from 2005 designed to sabotage Iran's nuclear program, making it the earliest known state-backed cyber-sabotage operation, predating Stuxnet by five years.
Security researchers at SentinelOne have uncovered a previously unknown malware family, dubbed Fast16, that dates back to 2005 and was purpose-built to disrupt Iran's nuclear program. This discovery pushes back the timeline of state-sponsored cyber-sabotage by at least five years, predating the infamous Stuxnet worm that was discovered in 2010. The findings were detailed in a blog post by SentinelOne researchers Vitaly Kamluk and Juan Andrés Guerrero-Saade, who set out to determine whether any malware featuring an embedded Lua virtual machine existed before later state-backed efforts like Flame and Project Sauron.
The malware was found in a service binary named "svcmgmt.exe" that contained an embedded Lua 5.0 VM, referencing a kernel driver called "fast16.sys." According to the researchers, "This kernel driver is a boot-start filesystem component that intercepts and modifies executable code as it's read from disk." Although the driver is too old to run on Windows 7 or later, for its time it was highly sophisticated, leveraging a position in the storage stack to control filesystem I/O and perform rule-based code patching. Fast16 is the first recorded Lua-based network worm, designed to target Windows 2000 and XP systems by exploiting default or weak administrator passwords on file shares.
What set Fast16 apart from other worms of its era was its mission specificity. SentinelOne described the carrier as "designed to act like cluster munition in software form, able to carry multiple wormable payloads, referred to internally as 'wormlets'." The malware would only activate after verifying that the targeted environment was not running specific security software, a level of environmental awareness that the researchers noted was remarkable for tooling of that age. This careful targeting suggests the operators had detailed knowledge of their intended victims' networks.
The end goal of Fast16 was to sabotage high-precision engineering and simulation suites used in the mid-2000s, specifically LS-DYNA 970, PKPM, and the MOHID hydrodynamic modeling platform. These tools were used for crash testing, structural analysis, and environmental modeling, with LS-DYNA believed to have been deployed by Iran. The malware interfered with calculations produced by these tools, corrupting routines to generate alternative outputs. "By introducing small but systematic errors into physical-world calculations, the framework could undermine or slow scientific research programs, degrade engineered systems over time or even contribute to catastrophic damage," the report claimed.
The attribution of Fast16 points to US offensive cyber operations, as the malware was referenced in the infamous Shadow Brokers leak of NSA hacking tools. This connection ties Fast16 to the same ecosystem that produced Stuxnet, suggesting a sustained campaign of cyber-sabotage against Iran's nuclear ambitions that began years earlier than previously known. SentinelOne emphasized that Fast16 "is a reference point for understanding how advanced actors think about long-term implants, sabotage, and a state's ability to reshape the physical world through software."
The discovery of Fast16 reshapes the historical narrative of state-sponsored cyber warfare, demonstrating that sophisticated sabotage operations were underway as early as 2005. It highlights the long-term strategic thinking of advanced threat actors and the evolution of cyber weapons from simple worms to complex, targeted tools capable of causing physical-world effects. As researchers continue to uncover artifacts from this era, the full scope of early cyber-sabotage campaigns may yet be revealed.