fast16 | Mystery ShadowBrokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet

What Happened

In 2005, a highly advanced cyber attack tool called fast16 was created to secretly alter the results of complex engineering and scientific calculations. It targeted older Windows systems running specialized simulation software used for things like crash testing and structural design. This matters because it shows that nation-state hackers were capable of subtly sabotaging physical-world projects years earlier than previously thought. Organizations should ensure legacy systems are isolated and monitor for unusual modifications to critical scientific software.

Key Takeaways

• fast16 is a 2005 cyber sabotage framework predating Stuxnet, designed to target high-precision calculation software.
• The framework utilizes an embedded Lua 5.0 virtual machine within a carrier executable (svcmgmt.exe) for modularity and propagation.
• The primary payload is a kernel driver (fast16.sys) that intercepts filesystem I/O to inject code into Intel-compiled executables.
• The injected code corrupts floating-point calculations to subtly alter outputs in engineering and simulation software (e.g., LS-DYNA, PKPM, MOHID).
• The malware includes environmental awareness, checking for specific security products via registry keys before installation.

Affected Systems

• Windows 2000
• Windows XP
• High-precision engineering and simulation software (e.g., LS-DYNA 970, PKPM, MOHID)
• Intel C/C++ compiled executables

Attack Chain

The attack begins with the execution of svcmgmt.exe, a carrier module containing an embedded Lua VM. It checks for the presence of specific security products via registry keys and aborts if found. If clear, it installs itself as a service and deploys the fast16.sys kernel driver, while also propagating to other machines via network shares using weak administrative credentials. The kernel driver loads at boot, intercepts filesystem I/O, and injects floating-point corruption code into Intel-compiled executables (specifically engineering software) to subtly sabotage calculations.

Detection Availability

• YARA Rules: Yes
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: YARA

The article provides YARA rules to detect the fast16 carrier, the kernel driver, the patch target software, and the specific patch code.

Detection Engineering Assessment

EDR Visibility: Medium — Modern EDRs would likely catch the service creation, driver loading, and network propagation, but the in-memory patching of specific engineering software by a kernel driver might evade some user-land hooks. Network Visibility: Low — The malware propagates via standard SMB/RPC network shares, which blends in with normal administrative traffic, though the specific named pipe \pipe\p577 might be visible in network telemetry if unencrypted. Detection Difficulty: Hard — The malware operates primarily in memory via a kernel driver, targets highly specific and uncommon engineering software, and actively evades environments with known security products.

Required Log Sources

• Windows System Event Log (Service Creation)
• Sysmon Event ID 1 (Process Creation)
• Sysmon Event ID 12/13/14 (Registry Event)
• Sysmon Event ID 6 (Driver Loaded)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for the creation of a service named 'SvcMgmt' or services executing binaries with unusual command-line arguments like '-p', '-i', or '-r'.	Windows Event ID 7045 (Service Creation) or Sysmon Event ID 1	Persistence / Privilege Escalation	Medium
Search for the loading of unsigned or unexpected kernel drivers, particularly those exposing devices named '\Device\fast16'.	Sysmon Event ID 6 (Driver Loaded) or EDR driver load events	Persistence / Defense Evasion	Low
Monitor for processes querying a large number of specific legacy antivirus and firewall registry keys in rapid succession.	Sysmon Event ID 12 (Registry Object Create/Delete) or EDR registry telemetry	Defense Evasion	Medium

Control Gaps

• Lack of kernel-level memory integrity monitoring
• Weak administrative credentials on network shares

Key Behavioral Indicators

• Service creation with specific single-letter flags (-p, -i, -r)
• Querying of legacy AV registry keys
• Creation of named pipe \.\pipe\p577

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Scan legacy Windows 2000/XP environments for the provided YARA rules.
• Investigate any systems containing the fast16.sys driver or svcmgmt.exe binary.

Infrastructure Hardening

• Disable SMBv1 and enforce strong administrative passwords to prevent lateral movement via network shares.
• Implement network segmentation to isolate legacy systems running critical engineering software.

User Protection

• Ensure modern Endpoint Detection and Response (EDR) agents are deployed on all compatible systems.
• Restrict local administrative privileges to prevent unauthorized service creation and driver loading.

Security Awareness

• Educate engineering and scientific staff on the potential for targeted sabotage of simulation and calculation software.

MITRE ATT&CK Mapping

• T1059 - Command and Scripting Interpreter
• T1543.003 - Create or Modify System Process: Windows Service
• T1012 - Query Registry
• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
• T1055 - Process Injection
• T1565.001 - Data Manipulation: Stored Data Manipulation
• T1021.002 - Remote Services: SMB/Windows Admin Shares

Additional IOCs

• File Hashes:
  • 8fcb4d3d4df61719ee3da98241393779290e0efcd88a49e363e2a2dfbc04dae9 (SHA256) - Hash for clean fast16 patch target software.
  • 0ff6abe0252d4f37a196a1231fae5f26 (MD5) - Hash for fast16 patch code.
• Registry Keys:
  • HKLM\SOFTWARE\Symantec\InstalledApps - Registry key checked by malware to evade detection.
  • HKLM\SOFTWARE\Sygate Technologies, Inc.\Sygate Personal Firewall - Registry key checked by malware to evade detection.
  • HKLM\SOFTWARE\TrendMicro\PFW - Registry key checked by malware to evade detection.
  • HKLM\SOFTWARE\Zone Labs\TrueVector - Registry key checked by malware to evade detection.
  • HKLM\SOFTWARE\F-Secure - Registry key checked by malware to evade detection.
  • HKLM\SOFTWARE\Network Ice\BlackIce - Registry key checked by malware to evade detection.
  • HKLM\SOFTWARE\McAfee.com\Personal Firewall - Registry key checked by malware to evade detection.
  • HKLM\SOFTWARE\ComputerAssociates\eTrust EZ Armor - Registry key checked by malware to evade detection.
  • HKLM\SOFTWARE\RedCannon\Fireball - Registry key checked by malware to evade detection.
  • HKLM\SOFTWARE\Kerio\Personal Firewall 4 - Registry key checked by malware to evade detection.
  • HKLM\SOFTWARE\KasperskyLab\InstalledProducts\Kaspersky Anti-Hacker - Registry key checked by malware to evade detection.
  • HKLM\SOFTWARE\Tiny Software\Tiny Firewall - Registry key checked by malware to evade detection.
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Look n Stop 2.05p2 - Registry key checked by malware to evade detection.
  • HKCU\SOFTWARE\Soft4Ever - Registry key checked by malware to evade detection.
  • HKLM\SOFTWARE\Norman Data Defense Systems - Registry key checked by malware to evade detection.
  • HKLM\SOFTWARE\Agnitum\Outpost Firewall - Registry key checked by malware to evade detection.
  • HKLM\SOFTWARE\Panda Software\Firewall - Registry key checked by malware to evade detection.
  • HKLM\SOFTWARE\InfoTeCS\TermiNET - Registry key checked by malware to evade detection.
• File Paths:
  • svcmgmt.dll - User-mode component providing a minimal reporting channel.
• Command Lines:
  • Purpose: Propagate/Install & Run | Tools: svcmgmt.exe | Stage: Execution / Persistence | svcmgmt.exe -p
  • Purpose: Install & Execute Lua | Tools: svcmgmt.exe | Stage: Execution / Persistence | svcmgmt.exe -i
  • Purpose: Execute Lua | Tools: svcmgmt.exe | Stage: Execution | svcmgmt.exe -r
• Other:
  • 1B 4C 75 61 - Lua magic bytes indicating compiled bytecode.
  • 0xA57C - Custom DeviceType value exposed by the fast16.sys driver.