EXECUTIVE SUMMARY
A previously undocumented cyber sabotage framework, tracked as fast16, has been uncovered by researchers, dating back to 2005. This framework selectively targets high-precision calculation software, patching code in memory to tamper with results, and aims to produce equivalent inaccurate calculations across an entire facility. The attackers' goal is to disrupt critical infrastructure, such as advanced physics, cryptographic, and nuclear research workloads, with the primary motivation being sabotage. fast16 is believed to have been used by sophisticated threat actors, possibly nation-state sponsored, and is linked to a 2017 leak of deconfliction signatures used by NSA operators. fast16 operates by infecting systems through a service-mode executable, svcmgmt.exe, which is a highly adaptable carrier module that changes its operational mode based on command-line arguments.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A previously undocumented cyber sabotage framework, tracked as fast16, has been uncovered by researchers, dating back to 2005. This framework selectively targets high-precision calculation software, patching code in memory to tamper with results, and aims to produce equivalent inaccurate calculations across an entire facility. The attackers' goal is to disrupt critical infrastructure, such as advanced physics, cryptographic, and nuclear research workloads, with the primary motivation being sabotage. fast16 is believed to have been used by sophisticated threat actors, possibly nation-state sponsored, and is linked to a 2017 leak of deconfliction signatures used by NSA operators. fast16 operates by infecting systems through a service-mode executable, svcmgmt.exe, which is a highly adaptable carrier module that changes its operational mode based on command-line arguments.[emaillocker id="1283"]
The binary includes a crucial detail, a PDB path that links the binary to the kernel driver fast16.sys. Once activated, fast16.sys focuses on executable files, modifying them to produce inaccurate results. The kernel driver intercepts and modifies executable code as it's read from disk and registers with IoRegisterFsRegistrationChange to attach a worker device object on top of every active and newly created filesystem device. fast16 also includes a file-system driver for precision sabotage, designed to tamper with high-precision calculation software, and a Lua-powered 'carrier' module compiled in 2005.
The significance of fast16 lies in its sophistication and the level of precision it brings to cyber sabotage operations. Its modular design and ability to adapt to different target environments and operational objectives make it a potent tool for disrupting critical infrastructure. fast16 also predates Stuxnet by at least five years, making it a significant discovery in the realm of cyber warfare. Organisations should take defensive actions to protect their high-precision calculation software, including patching, monitoring, backups, and endpoint protection.
THREAT PROFILE:
| Tactic | Technique ID | Technique |
| Reconnaissance | T1598 | Network Service Scanning |
| Initial Access | T1566 | Phishing |
| Execution | T1204 | User Execution |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Defense Evasion | T1070 | Indicator Removal |
| Defense Evasion | T1564 | Hide Artifacts |
| Defense Evasion | T1112 | Modify Registry |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information |
| Defense Evasion | T1036 | Masquerading |
| Defense Evasion | T1218 | System Binary Proxy Execution |
| Defense Evasion | T1553 | Subvert Trust Controls |
| Defense Evasion | T1014 | Rootkit |
| Command and Control | T1105 | Ingress Tool Transfer |
| Command and Control | T1102 | Web Service |
| Command and Control | T1132 | Data Encoding |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
| Exfiltration | T1048 | Exfiltration Over Alternative Protocol |
REFERENCES:
The reports contain further technical details:
https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/
https://securityonline.info/bitwarden-cli-breach-dune-malware-supply-chain/