Newly Decrypted Disruptive Malware May Have Targeted Iran’s Nuclear Program — and Predates Stuxnet Virus

Instead, Kamlock saw it as a self-propagating piece of code with entirely different intentions. Using what was referred to in the code as a “wormlet” function, Fast16 was designed to replicate itself to other computers on the network via Windows’ network sharing feature. It checks for a list of security applications, and if not, installs the Fast16.sys kernel driver on the target device.

The kernel driver then reads applications code as it is loaded into the computer’s memory, observing a long list of specific patterns – “rules” that allow it to determine when to run the target application. When the program detects the target, it carries out its obvious goal: to silently alter the calculations the program performs to imperceptibly corrupt its results.

“This actually had a very large payload inside it, and almost everyone who looked at it before missed it,” says Costin Rayo, a researcher at security consulting firm TLP:Black, who previously led the team that included Kamluk and Guerrero-Saade at the Russian security firm Kaspersky, which did early work analyzing Stuxnet and related malware. “This is designed to be a long-term, very subtle sabotage that will probably be very difficult to notice.”

While searching for programs that met Fast16’s “rules” criteria for an intended sabotage target, Kamluk and Guerrero-Saade found their three candidates: the MOHID, PKPM, and LS-DYNA programs. As for the “worm” feature, they believe the propagation mechanism was designed so that when the victim double-checks his calculations or simulation results using a different computer in the same lab, that machine will also confirm the wrong result, making the deception more difficult to detect or understand.

As for other cyber sabotage operations, Stuxnet is the only one that remotely falls into the same category as Fast16, Guerrero-Sadi says. The malware’s sophistication and sophistication also places it in the Stuxnet world of high-priority, high-resource state-sponsored hacking. “There are few scenarios where you go through this kind of development effort for a covert operation,” Guerrero-Sadi says. “Someone developed a model in order to slow down, damage, or eliminate a process that he considered to be critically important.”

Iran hypothesis

All of this fits with the hypothesis that Fast16, like the Stuxnet virus, may have been intended to disrupt Iran’s ambitions to build a nuclear weapon. TLP: BlackRay sees Iran targeting, far from just a possibility, as the most likely explanation — a “medium to high confidence” theory that Fast16 was “designed as a cyberattack package” that targeted Iran’s AMAD nuclear project, a plan conceived by Ayatollah Khamenei’s regime to acquire nuclear weapons in the early 2000s.

“This is another dimension to cyber attacks, another way to wage this cyber war against the Iranian nuclear program,” Rayo says.

In fact, Guerrero-Saadeh and Kamluk point to a research paper published by the Institute for Science and International Security, which compiled public evidence of Iranian scientists conducting research that could contribute to the development of a nuclear weapon. In many of those documented cases, the scientists’ research used the LS-DYNA program that Guerrero-Sadi and Kamluk found to be a potential target for Fast16.