A 2005 Malware Find That Rewrites Cyber Warfare History

Show Notes

A 2005 malware sample sounds like ancient history, until it looks like cyber sabotage that may predate Stuxnet. We sit down with Jags from SentinelOne’s Sentinel Labs to unpack Fast 16, a rare framework that doesn’t just break computers, it quietly corrupts high precision calculations. If you’ve ever treated simulation results, engineering models, or AI outputs as “the answer,” this conversation will make you pause.

We walk through the unexpected discovery path: a curious reference tied to the Shadow Brokers leak, years of researchers staring at a strange sample that “felt important” but refused to give up its secrets, and the moment an internal project using AI for reverse engineering helped unlock what Fast 16 was built to do. Along the way, we connect the dots to the Stuxnet era, cyber threat intelligence “paleontology,” and why truly high end nation state toolkits look like platforms, not one off scripts.

Then we get uncomfortably current. Sabotaging calculations is an integrity attack, and integrity is the foundation of modern scientific computing, cloud workloads, and frontier AI model training. We talk about how subtle degradation can waste millions, derail decision making, and even turn teams against their own experts. We close with practical lessons for CISOs and enterprise leaders: invest in visibility, telemetry, and log retention before the crisis, and start treating output verification as a core security problem.

Subscribe for more deep dives on cyber sabotage, APT tradecraft, and AI security, and if this made you rethink what “trust” means in computing, share it and leave a review. What system in your world would be hardest to verify?

Everyday AI: Your daily guide to grown with Generative AI
Can't keep up with AI? We've got you. Everyday AI helps you keep up and get ahead.

Listen on: Apple Podcasts   Spotify

More at https://linktr.ee/EvanKirstel

Chapters

• 10:53: [Ad] Everyday AI: Your daily guide to grown with Generative AI
• 11:39: (Cont.) A 2005 Malware Find That Rewrites Cyber Warfare History

Transcript

0:05

Hey everyone, fascinating topic today as we dive into how new and recent discovery may completely reshape how we think about the origins of cyber warfare with a true cybersecurity industry insider. Jags from Sentinel One, how are you? Hey Evan, I'm good. Thanks for having me. Well, thanks for being here before we dive into this really intriguing topic. How do you describe Sentinel One these days and your mission, your work therein? Well, Sentinel One um is a leading XDR provider, a you know, endpoint security provider. Um, and my my role in particular um is to lead AI innovation and our intelligence and security research practice. So the Sentinel Labs team primarily. So we're we're involved mostly in in um high-end research for APTs, cyber espionage, and you know, the the kind of interesting quirks that show up like Fast 16. Interesting quirks to say the least. Uh big headline. What exactly for the audience here is Fast 16? Why is its discovery from something like 2005, I think, such a big deal? Well, so Fast 16 is a fascinating little piece of malware that, um, as you mentioned, right? It comes from 2005. Uh part that's part of the sort of the shocker of figuring out what this thing is. But essentially, it's a cyber sabotage operation that precedes Stuxnet, uh, depending on how you place Stuxnet, right, by a number of months or a number of years. Um, and more importantly, it's essentially a sabotage attack on high precision calculations. So think about it as uh somebody wanting to mess with uh with math, with the kind of calculations that we use for anything from uh, you know, uh car crash simulations all the way to, you know, uh more likely uh how you do nuclear detonations. So the kind of materials science and and uh high pressure calculations that you do to figure out how to make an atomic bomb. Well, that isn't too relevant based on what's happening in the news today, but let's keep uh our perspective here. When and how did your team first stumble upon this? Stumble is the right word. Was there a specific moment when you realized this was something way more important and interesting than just another malware piece of research? Yeah, it's it's a funny story. I think the uh you can separate those two things, right? There's when I stumble upon Fast 16, and then there's this moment when we realize that it's a big deal. And uh sadly, there's there's like a six or seven year gap between the two. So I originally ran into um fast 16 as part of a broader project. We were trying to figure out uh different pieces of malware that fit within um, first within this leaked set of names called territorial dispute that was part of like the Shadow Brokers leak. And you know, we can go into that. That's sort of like its own really interesting story. But within that uh leak, there is a reference to Fast Six to the file name Fast 16, um, next to the the line, nothing to see here, carry on, which of course was like catnip for security researchers, right? Like there's no way we were gonna let that one go. So Silas Cutler and I at the time, you know, went to town looking for this thing. Um, and uh along that you know in that process, we came up with a couple of different approaches of how we wanted to find interesting malware, primarily things that had embedded uh Lua scripting language, virtual machines inside of them. And you know, that's a bit of insider baseball, but there's a ton of different um high-end APTs, cyber espionage groups that like using Lua uh to extend their operations. So our idea was, you know, let's go collect all of the samples we can find that look a little weird, that have this Lua virtual machine inside of them, and then maybe we'll find interesting things. Um, and in that sort of big collection attempt, um, we pull this Fast 16 thing. And um, this is where like I kind of got to put myself down a little bit, right? We found this thing. We could tell it was interesting, we could tell it had all these interesting features, but I looked at it, Coast and Radu looked at it, Silas Cutler looked at it, a bunch of really interesting folks in the malware analysis space and APT research space looked at it, some really good reverse engineers uh looked at it, and no one could quite tell what it does. And I think that's where it kind of ends up on the shelf. And um, I'll say it was my decision to shelf it, uh, to shelf it for a bit, but it didn't feel right to just say, hey, look at this cool thing we found. We don't really know what it does, right? Like there's this assumption that it's a root kit, that it's you know, sort of the usual run-of-the-mill malware that you would expect from 2005. Um, and then a few months ago, uh Vitali Kamluk, who's on my uh on our team in Sentinel Labs, he's over in Singapore. Um, he was looking to do a project into uh something completely different. He was looking to evaluate how AI models are doing at reverse engineering. And we have this thesis, this idea that we can use really obscure malware samples that nobody has analyzed yet as hard evaluations and benchmarks for AI models. Because at the end of the day, right, like all the constituent pieces might be around, but the model's gonna have to reason and use the tools and figure things out in an you know by itself to really know what a piece of malware is doing if nobody's written a blog or report about it. So Vitali takes on this task and he's like, you know, what should I test it on? I'm like, oh, here's this fast 16 thing. We've never figured out what it is, you know, why don't you try it? Um, and in the process of doing that analysis, uh, Vitali, who himself is an amazing reverse engineer, he calls me up two weeks before the talk and he goes, Look, man, I need you to spot check me here because I I think this is this is crazy. Like, this is something completely different to what I've seen before. I'm like, okay. Uh so Vitali figured it out. Um, eventually we got back into the AI model, evals, and tried to see which one of them could figure it out. But um it definitely caught us flat footed. So you can see that big gap, right, between it being found um and Vitali actually realizing that this is a sabotage toolkit. Wow, what a what a background. Fascinating. And you know, Stooksnet is a story much bigger than the cybersecurity, uh, it's legendary, I think, now. Um how is Fast 16 or was it different from and similar to something like Stuxnet? So it that's a really interesting question, in that I'm not entirely certain how we can relate the two, but it would be silly to think that they are entirely unrelated. So, for folks who know about the Stuxnet story, um, you know, the the best resource is probably Kim Setter's book, Count Down to Zero Day. Uh, there's a few documentaries and, of course, a ton of different material that folks have written up about this, but Stuxnet is a really special thing for um the malware analysis industry, for the threat intel industry, because in many ways that this the discovery of Stuxnet is the landmark moment where we first see uh nation-state level tooling. Uh, it's not that it was the first time anybody ran into it, but folks didn't recognize it, right? Like it's this bizarre thing of like, if you don't know what you're looking for, you know, you you you can just kind of gloss right over it without realizing. And it's why most companies, when Stuxnet was discovered, realized that they were sitting on samples of Stuxnet for years and years that had been coming into their collections. They just didn't know what they were looking at. Um, so Stuxnet plays a very important role essentially in defining the notion of cyber espionage and what the and cyber sabotage and what the playing field looked like. If you talk to folks in the malware analysis industry before that, um, there was this idea that of course nation states are playing, and of course they're they're gonna get into this, and cyber espionage makes a lot of sense, but they're not here yet. Like we'll see them come into the space at some point. What Stuxnet proved is no, they've been here for years, and we were the ones late to figure out that it was actually happening. So um that alone makes Stuxnet quite a special um operation, more so when you realize that Stuxnet was this um very careful, well-crafted um sabotage operation meant to uh slow down or or or mess up the process of nuclear enrichment in Iran. Um and you know, when we talk about Stuxnet, it's a bit of an oversimplification. There's at least four or five different versions of Stuxnet payloads. Um, the folks at Symantec did the original work for uh the original discovery of Stuxnet, but you had you had Kaspersky and and a whole bunch of other researchers that that jumped on board. It was actually a pretty fruitful time in our industry for folks to compare notes. Um, and when you go back, and you might notice sort of this this uh look back obsession on our end, there's a bit of a school of cyber paleontology among different uh Threat Intel folks. Um, Silas and I looked back at Stuxnet, um, I want to say maybe seven or eight years ago, and actually found that there was like a fourth platform involved, and it helped us kind of put the timeline of Stuxnet even further back. So you kind of have this thing happening. Uh, and sorry, that's like a long-winded way of getting at your question, but you have this thing happening where um there's this really complex uh operation taking place sometime in 2006, all the way to 2010, 11, um, where different versions of this malware and different types of attacks are being used to deter this nuclear enrichment process. And FAST 16 kind of rewrites that for us in that it shows us a completely different type of attack that was very likely used for the same targets, um preceding it by about a year, about six months or so. Um so there's there's you know, it's it's it's this mystery where you go, look, there's no way these things are completely unrelated, but we're still sort of trying to dig up all the intricacies of how they might connect to one another, and if they do. Amazing. And it's it might seem obvious, but why is manipulating calculations and precision data potentially even more dangerous uh than shutting down, destroying damaging hardware, even

(Cont.) A 2005 Malware Find That Rewrites Cyber Warfare History

10:54

uh it's very interesting. I think it's extremely insidious in a way that we're not used to thinking about. Um look, it's it's 20 years, 21 years old as an attack vector. And even back then, what you use high precision uh calculations for is usually fairly important processes, right? What's the tensile strength of these materials to keep a bridge from collapsing? You know, what have we built cars the right way so that people, you know, don't die in collisions? Um, you know, what happens when a bird hits uh a plane, right? Like all those things are being calculated in this uh software like LS Dyna or Autodyne and things that that folks use in order to um to simulate these things in as much detail as possible and say, okay, this is safe, this is what we need to do, this is how we need to change things. Um, a part of that obviously is this uh this process of making weapons and and nuclear bombs, but to reduce it to that, right, is uh to ignore just to what extent society has become uh completely entrenched in uh high tech and in really interesting things that we derive from high precision calculations, cryptocurrency, and now more importantly, uh AI, right? So there's this this way in which, to me, the the Fast 16 attack becomes truly fascinating. And and folks thought it was kind of topical because it's like, oh, right, we're at we're at war with Iran. What a time to bring this up. It's like honestly, to me, this is far more topical because it's the kind of attack that we would design to mess with a frontier lab, much more so than one that I would consider relevant to what's happening in the Middle East right now. Yeah, almost anything I can imagine. Space, uh uh, aerospace, uh, insidious uh penetrations and and other critical use cases. You you describe the framework as highly modular and sophisticated towards time. What does it actually mean? What stood out to you the most? It's definitely extremely sophisticated for its time. I tend to shy away from the word sophisticated, right? Like that's gotten so overplayed and overused that it almost never means anything anymore. But when, you know, back in the 2015s, 2014s, when when you were still talking about truly sophisticated APTs and using that word correctly, um, we were describing operations that uh showed us toolkits that clearly were worth millions that were being created by defense contractors that were fitting a certain spec. And the idea was that you wouldn't go and write a little piece of malware for an operation, you would create an entire platform. So you would invest millions into creating a modular platform. It was something that could be extended, that you could add functionality onto. Um, and and it had to have a certain level of um of reliability that I think most folks don't consider, right? Like what when when uh cyber criminal launches a piece of ransomware, look, if it doesn't encrypt, you go, oh, well, that didn't work, right? And you go roll another one. Um, Western nation states are not uh that forgiving. They they they want their uh toolkits to be, as they say, exquisite. They need them to be completely reliable, and that requires a completely different uh approach to software engineering and and to the kind of QA that you put into these things. So there's a certain rubric that we've gotten used to expecting from really high-end threat actors, and it tends to include these things, right? Like modularity, extensibility, a certain amount of um uh error correcting and just very careful engineering, and of course, a lot of stealth and attempts to um not just uh stay hidden, but to even manipulate the ground at these different um victim machines in order to not get caught. Um, all of that we've gotten used to by the mid-2010s. None of that had we seen in 2005. So it's it's this really interesting thing to find a toolkit that fits the bill. It has all of the markers of the kind of thing that we now recognize as, you know, like a flame or a regan or um equation group, uh, Turla, et cetera, these folks that are really building super high-end things. Um, and to see it in 2005, and and more importantly, to only see one sample of it. Like to this day, we've found one instance of you know, this FAST 16 thing, and we have yet to find any similar malware. We haven't found even anything that shares code, right? Like code reuse would be something that we would use normally to figure out this like family lineage of the malware, and um, we've yet to find anything that shares any code with it in any meaningful way. So it's it's a it's a mystery that kind of just uh sticks out in a sense. Absolutely fascinating. And uh, of course, it appeared in the Shadow Brokers Leak years afterwards. Remind everyone why that leak was so profound in cybersecurity history and why it even matters to this day. Uh I mean the Shadow Brokers League is a is a particularly interesting moment in cybersecurity and and also for any espionage and intelligence buffs, because it's um it's uh it's something that I thought would never ever happen, right? Like I was there when um when uh great shared their first discovery of the equation group. And most folks thought, okay, this must be the NSA, right? Which is like we're talking about like the apex predator of the entirety of the internet, right? Like there's no one that can do what NSA can do uh by orders of magnitude. So to see malware that we at the time suspected and believed was theirs be found, be detailed, be properly studied, um, it felt like a once-in-a-lifetime thing. And I remember being in that crowd, and I was the one sort of live tweeting like this this talk. Um, and uh, and I thought to myself, I don't think we're ever gonna see something like this ever again. Like you're just not gonna see something that just walks out of the fort um at that level of detail. Boy, was I wrong, right? When you see the the Shadow Brokers uh is this mysterious group to this day, nobody has definitively said who it is. There's all kinds of theories, and and frankly, a lot of them are are kind of nonsense. But um, essentially, somebody steals a bunch of materials from the NSA and starts to leak them um in a series of you know bizarre posts online. And that includes a lot of very interesting tooling and files. It included some exploits, it included some malware, um, a lot of configuration stuff. And for each one of those leaks, right, you had a bunch of security researchers that were just like pouring over these things trying to figure out what was in there. Um one of the one of the things that kind of flew under the radar uh is this thing called territorial dispute that I mentioned before, um, which a researcher in Hungary, uh Boldesar Banksath, uh, our friend Boldy, he realizes that it's there, realizes what it does, and he points us to it as what's called like a deconfliction toolkit. So just to sorry to run folks through like a bunch of really uh kind of complex topics, but you know, think about deconfliction as like the let's say the Americans and the Brits are fighting in Afghanistan. You want to let each other know where your forces are so that you don't accidentally kill allied troops, right? Like that's that's the main you know core point of deconfliction. If you think about it from a cyber espionage standpoint, it's a much more difficult thing to uh to try to deconflict, not just with allies, but also with enemies, because the whole point of it is that it's covert. But NSA holds a very high standard as to uh where they're willing to operate. And it seems that they uh one of the biggest priorities for them was not being caught on a box that already, you know, on a victim machine that already had uh other adversaries in it. So territorial dispute is a toolkit that's meant to check a victim box once they're in it. Check to see if, you know, they check a bunch of uh indicators of compromise and a bunch of other little signatures, and they say, hey, you know, um pull back. It looks like there's, you know, there's a there's a different piece of malware here, this other threat actors here, or um, or look, a friendly tool, for example. Don't remove it, right? It's a bunch of instructions that you're setting to the operators at Fort Meade uh to say this is how you should act on the basis of what you find over there. Um, and it's amongst all of those signatures and and file names that we find the only reference to Fast 16. Incredible. So Fast 16 obviously advanced for 2005. In your imagination, what would a modern version of a cyber esconide framework might look like today? I mean, is this something you're you're thinking about? Uh I mean, I've been thinking about it a lot, mostly in how you would implement that same attack now, right? Because the the toolkit itself isn't gonna be the thing that that you need to re-implement as much as you know, how would we go about implementing that attack? And um look, it doesn't take a genius to figure out where you would want to use this, right? As we talk more and more about this this great contest between the US and China in training AI models, right? These are the most expensive calculations um that I can think of, probably in our lifetimes, right? You're you're running uh cloud workloads that are probably costing uh tens of millions of dollars at a time. And they're obviously meant to be high precision calculations. Uh it does not take much to consider how desirable it could be to deter those those calculations and and mostly to um degrade them. Because if you think about the attack that that Fast 6 that was implemented for FAST 16, you didn't want things to blow up. You weren't trying to make things um catastrophically fail. You wanted to subtly degrade these calculations, right? The point was for the scientists who were trying to come up with you know what the right uh explosive material is to equip a nuclear warhead, to think that, you know, things just don't quite add up. Like this thing, and you know, you go to another computer and Fast 16 spreads to every computer on the network and it does the same thing. So you're like, okay, it's not adding up here. So let me take it over there. And maybe if I do it on this other computer and you get, you know, it's like uh right, right. Formula, right inputs, wrong answer over and over again. Um, and and you can't even tell that it's necessarily wrong. So the idea was to it's almost a bit of psychological warfare where you start to see a bit of ineptitude, right? You start to assume most of the time we don't think the computers are wrong. We think, oh, this person doesn't know what they're doing. Um, and I'm sure that you know this has been documented in in Kim's book and a lot of the contemporary accounts of stuff that was happening in the Iranian nuclear program. But at some point you do look at your scientists and go, hey, these guys are idiots, right? Like we need to fire this person and put this other person in or whatever. Um on the AI side of things, I would be very curious to see how you can validate a workload at that magnitude, at that speed, right? You're not, you don't want to give up any of the capacity that you have. You're trying to use all of it to build these mega models and to hopefully get ahead. And it allows for some really interesting failure scenarios that I don't think folks are are ready for. Indeed. Fascinating to think about. Um, so what are some of the key lessons that you think enterprise leaders and CISOs and governments that you work with at Sentinel One could take away from this? What are what are some practical utilities and takeaways here? Um I don't know how how practical the takeaways get to be, right? Like to be completely honest with you, there's a there's the practical side of the house, which I think folks just need to, we all need to get honest about the fact that nobody's security is quite as good as it should be or it could be. And we definitely need to put a little more elbow grease into that, into visibility and telemetry and making sure that um that we're pre-investing in a meaningful way so that when the crisis comes, it that's not the moment when you're trying to realize, do we have visibility? Do we know what's happening on these machines? Did we keep the logs? Did these things work? Right. Like that's if you're asking those questions after the attack, you're already having a bad time. Um, and and by the time I show up, you know everything's, you know, it's already uh gone to hell in a handbasket. Um for an attack like this, I think there's a much more important lesson in our ability to trust technology and our and to what extent look, technology's already become completely interwoven into the fabric of what we do. There's no such thing as avoiding um these sort of high-end systems, even just grabbing a car on the streets, right? Driving past a Tesla. These things are just everywhere. Um, and I think as a society, we need to have a very interesting and important conversation about what it means to rely on these systems, what it's going to take for us to be able to verify the outputs of those systems, um, and to consider it more of a life and death thing now than you know, uh a video game or some console or something, you know. I we we got a little too used to trivializing technology as a um as a non-essential thing, as a thing that we kind of uh sprinkle on top of humanity. And now the truth is that it it undergirds a lot of the things that we do. Also well said. Well, that's quite a mic drop moment. But uh uh if folks want to reach out to you personally, maybe meet you Black Hat or DEF CON or check out your blog, where should they go? Oh, I mean, I I'm I'm I'm at most conferences speaking a little too much these days, probably. Um, but I I'm on Twitter, I'm on LinkedIn, and more importantly, the Sentinel Labs blog. So Sentinel Labs.com. You'll find the research that that our team puts out and uh a lot of interesting things along the same lane. Thank you. Well, thanks for what you do. Thanks for being one of the good guys uh out there. We need more guys and gals uh like you, and thanks for sharing this story uh to a pretty broad B2B audience. Amazing, can't wait for the movie or the Netflix uh version or what have you, and uh definitely check out the podcast. I appreciate it, Evan. Thank you so much. And thanks everyone for you know listening. If you're listening, watching, also check out our TV show, techimpact.tv on Bloomberg and Fox Business Monthly. Thanks, everyone. Thanks, Jags. Thank you.