Mystery ShadowBrokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet

Uncovering fast16: A Cyber Sabotage Framework 🚀

SentinelLABS has uncovered a previously undocumented cyber sabotage framework whose core components date back to 2005, tracked as fast16. This framework selectively targets high-precision calculation software, patching code in memory to tamper with results. By combining this payload with self-propagation mechanisms, the attackers aim to produce equivalent inaccurate calculations across an entire facility. This 2005 attack is a harbinger for sabotage operations targeting ultra-expensive high-precision computing workloads of national importance like advanced physics, cryptographic, and nuclear research workloads. Fast16 predates Stuxnet by at least five years and stands as the first operation of its kind.

The name ‘fast16’ is referenced in the infamous ShadowBrokers’ leak of NSA’s ‘Territorial Dispute’ components, with an evasion signature instructing operators: “fast16 ** Nothing to see here - carry on **”.

Investigation Insights 🔍

Our investigation into fast16 starts with an architectural hunch: a certain tier of apex threat actors has consistently relied on embedded scripting engines as a means of modularity. We wanted to determine whether that development style arose from a shared source, so we set out to trace the earliest sophisticated use of an embedded Lua engine in Windows malware. Hunting for these traits across mid-2000s malware collections surfaced a sample that initially looked unremarkable: svcmgmt.exe. A closer look reveals an embedded Lua 5.0 virtual machine and an encrypted bytecode container unpacked by the service entry point.

Key Findings 📊

The developers extended the Lua environment to include a wstring module for native Unicode handling, a built-in symmetric cipher exposed through a function commonly labelled b, and multiple modules that bind directly into Windows NT filesystem, registry, service control, and network APIs. The binary includes a crucial detail: a PDB path that links the binary to the kernel driver fast16.sys.

Buried in the binary’s strings is a PDB reference: C:\buildy\driver\fd\i386\fast16.pdb. Following that clue led us to a second binary, fast16.sys. This kernel driver is a boot-start filesystem component that intercepts and modifies executable code as it’s read from disk. For its time, fast16.sys was a cut above commodity rootkits thanks to its position in the storage stack, control over filesystem I/O, and rule-based code patching functionality.

In April 2017, almost 12 years after the compilation timestamp, the same filename, “fast16” appeared in the ShadowBrokers leak. Dr. Boldizsár Bencsáth’s research into Territorial Dispute points to a text file, drv_list.txt. This file is a short list of driver names used to mark potential implants cyber operators might encounter on a target box as “friendly” or to “pull back” in order to avoid clashes with competing nation-state hacking operations.

Conclusion 🏁

The core component of fast16, svcmgmt.exe, functions as a highly adaptable carrier module, changing its operational mode based on command-line arguments. Internally, svcmgmt.exe stores three distinct payloads, including encrypted Lua bytecode that handles configuration, its propagation and coordination logic, auxiliary ConnotifyDLL, and the fast16.sys kernel driver. The carrier was designed to act like cluster munition in software form, able to carry multiple wormable payloads, referred to internally as ‘wormlets’.

To read the complete article see: Read full article