A security company recently confirmed that a piece of malware "Fast16" that was discovered many years ago but was only recently fully analyzed was used to secretly interfere with nuclear weapon explosion simulation tests. The purpose was not to directly destroy the weapons, but to tamper with test data to mislead engineers into thinking that the nuclear test failed, thereby slowing down the advancement of the nuclear program.

According to the latest analysis by the threat hunting team of security company Symantec, "Fast16" targets at least two high-precision simulation software - LS‑DYNA and AUTODYN, secretly replacing key test data when they are used to simulate the physical processes of high explosives and nuclear warheads. The malicious code will take action when the simulation is close to the "supercritical" state and quietly tamper with the values ​​displayed in front of the engineers, making them mistakenly believe that the core pressure is not enough to trigger a nuclear chain reaction.

Nuclear experts pointed out that, judging from the code details and its active period, the target of "Fast16" is almost certainly Iran's early nuclear weapons program. David Albright, founder of the Institute for Science and International Security, a U.S. think tank, said that although it was theoretically possible to target other countries engaged in nuclear weapons research and development at the time, the timing, the access required for development, and the focus on uranium materials all pointed to Iran's nuclear weapons efforts as the most likely target. He emphasized, “We cannot completely rule out countries such as North Korea or Syria, but when all the key factors are added up, Iran’s nuclear weapons program is still the most convincing target.”

Compared with the well-known "Stuxnet", "Fast16" is not earlier, but another "digital weapon" that appeared roughly at the same time. The code for "Fast16" was compiled on August 30, 2005, and evidence suggests that Stuxnet began development around the same time, although the latter was not "dropped" in Iran's centrifuge systems until 2007. "Stuxnet" quietly undermined Iran's uranium enrichment capabilities by manipulating the operation of centrifuges and falsifying monitoring data; "Fast16" worked on another front - it did not destroy physical equipment, but caused the nuclear weapons design team to lose accurate knowledge of the simulation results.

The researchers noted that Fast16 targeted a critical stage in the high-explosive compression process: when the density of the uranium core in the simulation reached about 30 grams per cubic centimeter—just below the density threshold at which compressed uranium would begin to liquefy—the malware began intercepting and tampering with the data. The real physical parameters are replaced with false values ​​that are a few percentage points lower. The fluctuations appear to be normal on the chart, but they are enough for engineers to draw the wrong conclusion that "the pressure is insufficient and the design failed." This will force the team to constantly adjust calculations, increase the explosive charge or modify the structural design, wasting time and resources in endless "bug hunting" and internal disputes.

The Symantec team also found that "Fast16" provides fine adaptation to multiple versions of LS‑DYNA, and that these supports do not increase linearly in the order of software releases, but are "jumped" to make up for it. This means that the attacker is likely to continue to obtain intelligence about when the target engineering team switched to which version of the simulation software, and update the malicious code accordingly to ensure that regardless of how the target upgrades or rolls back, the simulation results will continue to be manipulated. At the same time, the malware will also propagate laterally within the internal network, causing any terminal used to run the simulation to output the same tampered data, further reducing the likelihood that the victim will suspect that the system has been compromised.

The existence of "Fast16" was first noticed by security researchers through a leaked U.S. National Security Agency (NSA) tool document in 2017. These tools were stolen by the mysterious hacker group "Shadow Brokers" and released in batches. The "Fast16" mentioned in the document is described as an attack capability that is actually put into use, rather than a proof of concept that stays in the laboratory. Although no actual samples were leaked at the time, a "Fast16" sample was uploaded to the malware detection platform VirusTotal in October 2017 and remained unnoticed for the next two years. It wasn’t until SentinelOne researcher Juan Andres Guerrero-Saade discovered this sample in 2019 and teamed up with independent researcher Vitaly Kamluk to use artificial intelligence to dismantle its functions, and its essence for high-precision simulation calculations was initially revealed.

At the time, SentinelOne’s team speculated that “Fast16” was likely designed to disrupt computing software used to simulate nuclear detonations, and listed LS‑DYNA as one of the most likely targets because public information revealed that Iran had used the software in detonation research. Now, Symantec’s latest technical analysis confirms this and further confirms that AUTODYN is also within the attack range. Both software are commonly used tools in industry and scientific research circles. They can be used to study a series of high-pressure physics scenarios such as metal strength, collision impact, aerospace and vehicle safety. They are also suitable for simulating the behavior of nuclear warheads under high-explosive compression.

To understand the operation of "Fast16", we need to return to the historical background of Iran's nuclear program. In 2002, Iran's exiled opposition group, the National Council of Resistance, held a press conference in Washington, revealing that Iran was secretly advancing its nuclear weapons program. Many facilities that had not been reported to the International Atomic Energy Agency (IAEA) were exposed. In 2003, an IAEA on-site inspection found that Iran's nuclear activities far exceeded what it was required to disclose under the Treaty on the Non-Proliferation of Nuclear Weapons and that there were suspicious signs of military use. Under international pressure, Iran agreed to temporarily suspend some nuclear activities in 2004 and start negotiations with the European Union; however, in the summer of 2005, the negotiations broke down, and Iran announced the resumption of enrichment activities and promoted the installation and operation of centrifuges at the Natanz facility.

Security researchers infer that it was between 2003 and 2005 that intelligence agencies determined that Iran was still continuing nuclear weapons-related research, especially in the "Amad Project" (Amad Project), which used computer simulations to make up for the limitations of the limited scale of live explosion tests. Albright pointed out that the U.S. intelligence community issued an assessment in 2007 that Iran suspended its nuclear weapons program in 2003, but intelligence agencies in countries such as Israel and Germany have long believed that Iran resumed related work in a more covert and reduced-funded manner in 2005. At this stage, physical experiments are limited and the status of computer simulation is elevated, which also means that precise destruction of simulation software will become a very cost-effective attack path.

"Fast16" is designed as a very covert "soft destruction" tool. It does not rashly infect all target hosts. Instead, it first checks whether 18 specific security products are installed on the system. Once these protective software are found, it automatically exits to reduce the risk of being captured and analyzed. After sneaking into the simulation environment, it does not actively trigger any obvious anomalies. Instead, it starts working when it detects that the high-explosive simulation is started and uses a specific mathematical model. Nuclear explosion simulations can use a variety of different mathematical models. The difference lies in the description of variables such as pressure, volume, density, and their interaction under extreme conditions. "Fast16" only intervenes in tampering when it detects that three of the specific models are enabled to ensure the accuracy and effectiveness of the attack.

In terms of nuclear weapon design, Iran is believed to have conducted high-explosive component testing for spherical implosion devices: high explosives are evenly coated on the outside of a spherical uranium core, and shock waves are generated through ignition, pushing metal "flying pieces" inward to hit the uranium core like a hammer, causing it to enter a high-pressure and high-temperature state. In this state, the neutrons released from the uranium nucleus frequently collide with other atomic nuclei, triggering a chain fission reaction, thereby achieving a nuclear explosion. Engineers constantly adjust the explosive layout, detonation timing and material parameters through simulation to find the optimal solution to achieve the "supercritical" state, and "Fast16" changes the numbers they read during this critical process.

Albright’s analysis believes that if the malware only slightly lowers the true value by 1% to 5%, the curve changes on the chart will look completely normal to the naked eye, but it is enough to change the engineer’s judgment of the results. They may think that the impact is insufficient, the compression is not enough, or the design is flawed, so they repeatedly adjust the model and charge configuration, and each simulation run will lead to manipulated and erroneous conclusions. In this case, the goal of the attack is not to make a certain explosion "out of control", but to continue to disrupt the development rhythm, consume the confidence of the team, create internal friction and doubts about the design plan, thereby slowing down the overall nuclear weapons development process.

Symantec researcher Vikram Thakur pointed out that "Fast16" may seem technically simple, but it is one of the "very few elite attacks" because it requires the attacker to not only be proficient in the internal mechanisms of the target software, but also have a deep understanding of nuclear physical processes, material properties, and how to achieve the desired misleading effect with minimal changes. He believes that creating such a "data integrity attack and defense" malware based on precision engineering knowledge in 2005 is "rare in any era, and even more unimaginable at the time."

Despite this, Thakur emphasized that Stuxnet is still one of the most advanced malicious codes they have ever seen in terms of complexity. What the two have in common is that they both focus their attacks on the "data level": by tampering with the data output by the system rather than directly damaging the hardware, allowing the victim to get lost in the wrong information. At the same time, attackers must break through highly isolated, physically isolated security environments, accurately understand how these environments operate, and implement extremely sophisticated modifications without being discovered.

Stuxnet was not discovered until it spread to systems outside Natanz and caused a crash. It lay dormant for about three years. After it was exposed, the impact on Iran's nuclear program did not stop at physical damage, but also included the destruction of trust in the entire engineering system: Iranian engineers have since maintained a high degree of suspicion of any failure. Even ordinary equipment aging or accidental errors may be suspected to be the result of external sabotage. Symantec believes that the facts revealed by "Fast16" will also exert psychological pressure on Iran's nuclear project: it reminds decision-makers and technical personnel that even data hidden in computer simulation software may not be trustworthy.

Researchers generally believe that "Fast16" and "Stuxnet" are likely to be part of a larger, multi-layered operation launched by the West against Iran's nuclear program. Over the past two decades, the United States and its allies have continued to use different methods, ranging from cyber attacks to targeted strikes, to try to delay or prevent Iran from acquiring nuclear weapons capabilities. Traditional "kinetic strikes" have not completely destroyed Iran's nuclear infrastructure, and the newly disclosed "Fast16" story adds a new chapter to this long-term game: it shows how, in addition to traditional military pressure, through digital destruction that seems mild but actually goes deep into the core, the schedule and political chips of the nuclear project can be changed without triggering a large-scale explosion.

At a time when the United States and Israel are still trying to limit Iran's nuclear program through pressure and negotiations, the exposure of "Fast16" is seen as a warning: For Iran's nuclear policymakers and engineers, the so-called "security boundary" is becoming increasingly blurred, and any link - even seemingly neutral and reliable simulation software in the laboratory - may become an entry point for digital saboteurs.