ctipilot.ch

Fast16 — Symantec/Carbon Black confirm contemporaneous-with-Stuxnet nuclear-simulation sabotage; LS-DYNA/AUTODYN hook engine targeting 30 g/cm³ density threshold; Zetter corrects 'pre-Stuxnet' framing

campaign · item:fast16-symantec-carbon-black-contemporaneous-stuxnet-nuclea

Coverage timeline
1
first 2026-05-19 → last 2026-05-19
Briefs
1
1 distinct
Sources cited
3
3 hosts
Sections touched
1
research
Co-occurring entities
1
see Related entities below

Story timeline

  1. 2026-05-19CTI Daily Brief — 2026-05-19
    researchFirst coverage. Broadcom Symantec + Carbon Black 2026-05-18 corroborates Kim Zetter ZERO DAY 2026-05-16 historical attribution research correcting SentinelOne April 2026 framing.

Where this entity is cited

  • research1

Source distribution

  • security.com1 (33%)
  • thehackernews.com1 (33%)
  • zetter-zeroday.com1 (33%)

Related entities

All cited sources (3)

Items in briefs about Fast16 — Symantec/Carbon Black confirm contemporaneous-with-Stuxnet nuclear-simulation sabotage; LS-DYNA/AUTODYN hook engine targeting 30 g/cm³ density threshold; Zetter corrects 'pre-Stuxnet' framing (1)

Symantec / Carbon Black document Fast16 hook engine targeting LS-DYNA/AUTODYN nuclear-simulation codes; Kim Zetter corrects "pre-Stuxnet" framing to contemporaneous-and-simulation-sabotage

From CTI Daily Brief — 2026-05-19 · published 2026-05-19 · view item permalink →

Background. Fast16 — a Lua-based sabotage framework — was first disclosed by SentinelOne at LABScon 2026 in April 2026 and originally framed as a Stuxnet predecessor by approximately two years. Earlier reporting also speculated that the malware operated against physical centrifuge equipment. Both framings now appear incorrect on closer expert review.

Broadcom's Symantec and Carbon Black teams published a technical analysis on 2026-05-18 documenting the framework's operating envelope and target selection (Broadcom Security, 2026-05-18; The Hacker News, 2026-05-18). The architecture: a service binary embedding an early Lua 5.0 VM; a boot-start filesystem driver intercepting executable code as it is read from disk; and a rule-driven hook engine rewriting specific instruction sequences inside narrowly targeted simulation applications. The hook engine selectively intercepts execution inside LS-DYNA and AUTODYN — the canonical high-explosive simulation codes used for weapons design — and activates only when the simulated material density exceeds 30 g/cm³, the threshold reachable only under implosion shock-compression conditions relevant to weapons-grade uranium. Kim Zetter's investigative analysis on 2026-05-16 separately corrected the historical framing of the campaign (Kim Zetter / ZERO DAY, 2026-05-16): Fast16 was contemporaneous with Stuxnet, not a predecessor, and was engineered to feed false output to weapons engineers rather than to physically alter nuclear infrastructure. Defender relevance is narrow but specific: Broadcom appears to describe the first publicly-documented use of a filesystem-driver-level instruction-rewriting hook engine to corrupt scientific-simulation output — a sabotage technique class distinct from data exfiltration, ransomware, or DoS. Operators of national-laboratory research-computing environments, defence-related HPC clusters, and reactor-physics-modelling labs should add filesystem-driver-load monitoring (Sysmon EID 6, Windows boot-start driver enumeration) and integrity checking of long-running simulation binaries to their threat models.