Hello!
For most people, SentinelLABS’s breakthroughs into understanding the fast16 malware are an intriguing cyber mystery solved, a rewriting of the historical timeline of offensive cyber, and generally a cool discovery. For me – and perhaps for a few people in the US government, though for very different reasons – it was initially anxiety inducing; how many Binding Hook articles reference Stuxnet? Would they all be outdated now? Breakthroughs can be very inconvenient like that.
After going through the site and confirming that nothing was now egregiously wrong, I could enjoy the details a bit more: teams of researchers from across the globe picking at some leaked code for almost a decade, with Juan Andres Guerrero-Saade and Vitaly Kamluk finally cracking the code while testing AI capabilities (the AI was wrong).
Five years before Stuxnet, it seems, someone within the US government or its allies had created a subtle little worm that infected networks with ‘wormlets’ and very quietly altered software calculations. The programs it seems to have targeted were used for physical simulations, including by scientists working on Iranian nuclear research. Obviously, it would be preferable – for you, your government, and perhaps most of the world – if your nuclear calculations were accurate, although for a determined adversary, such manipulation might be worth the risk.
For more on the relationship between cyber operations and nuclear conflict, read Kamil Bojarski’s review of Fiona Cunningham’s Under the Nuclear Shadow.
Fast16 had hovered tantalisingly on the fringes of cyber threat hunting ever since the landmark Shadow Brokers leak from NSA. This certainly added to the (admittedly rather nerdy) frisson of excitement in placing this particular piece correctly in the cyber jigsaw.
To cut a long story short, the Shadow Brokers leak included a tool called ‘Territorial Dispute’, which alerted operators (presumably the NSA) to the presence of other advanced malware on a target system: the cyber equivalent of ‘don’t cross the streams!’. One of the Territorial Dispute alerts was a reference to ‘fast16’ – no more, no less.
Another aspect of the fast16 story stood out. Some of the code bore hallmarks of high-security US government or military operating systems from the pre-Windows 1970s and 1980s, not the Windows 2000/XP era in which it was deployed. This suggests that whoever wrote fast16 had cut their coding teeth a long time previously, and came from a relatively small pool of people working in such environments for decades.
To get back to the bigger picture, several researchers involved in various stages of the project told Wired that this could perhaps account for some North Korean nuclear failures during this time too – why make such a nice tool and only use it in one place?
Of course, the scary part, as Kamluk points out, is that the software in question is used fairly widely for other research purposes – engineering, hydrology, construction – and the programs that SentinalLABS mentions are from the US, China, and Portugal. If this worm could impact calculations in Iranian nuclear projects, what else might it have impacted? And besides, this was made in 2005 – what else is out there?
While now is probably not a good time to be on an Iranian bridge anyway, this revelation certainly adds another dimension to the ethics of cyber operations. There’s been much debate about, for instance, the UK’s approach to responsible cyber operations – the 2023 document laying out their principles says, ‘We may seek to affect [adversaries’] confidence in their digital technology and the information it is providing them … by affecting the functionality and effectiveness of an adversary’s systems.’ Sound familiar?
As a person with surprisingly Luddite tendencies considering my current position, I’ve been moving away from trusting anything on computers anyway; even before the AI era, there was a rising tide of slop. However, I had thought calculation was on pretty solid ground. Unless, of course, you happened to be calculating the random numbers required for a new encryption standard around the same time fast16 was deployed – and yes, the culprit then was (also?) the NSA. Maybe that’s just a massive coincidence…
Until next month.
Katharine Khamhaengwong
Binding Hook Senior Editor
More Binding Hook on state-backed cyber operations:
- Max van der Horst reviews Jon Lindsay’s Age of Deception: Cybersecurity as Secret Statecraft, showing how cyber operations function as intelligence contests shaped by secrecy, exposure, and institutional vulnerability.
- Michael P. Fischerkeller, Emily O. Goldman, and Richard J. Harknett preview their upcoming book Cyber Persistence and Campaigning: The Logic and Art of Securing Cyberspace
- Aleksandar Milenkoski, Jiro Minier, Julian-Ferdinand Vögele, Max Smeets, and Taylor Grossman look at how states use ransomware for espionage, sabotage, and cybercrime.
- Matthias Schulze explores how countries from Finland to Japan are creating cyber commands, adapting previously defensive capabilities, and facing new legal and diplomatic challenges as they go on the offense.
- Abhishek Sharma writes about Japan’s turn toward ‘active defence’, despite a pacifist military culture and other structural constraints.
