{"id":802045,"date":"2026-05-17T03:53:19","date_gmt":"2026-05-17T03:53:19","guid":{"rendered":"https:\/\/www.europesays.com\/us\/802045\/"},"modified":"2026-05-17T03:53:19","modified_gmt":"2026-05-17T03:53:19","slug":"experts-confirm-the-fast16-malware-was-sabotaging-nuclear-weapons-tests-likely-in-iran","status":"publish","type":"post","link":"https:\/\/www.europesays.com\/us\/802045\/","title":{"rendered":"Experts Confirm the Fast16 Malware Was Sabotaging Nuclear Weapons Tests, Likely in Iran"},"content":{"rendered":"

Researchers have confirmed that a remarkable piece of malware discovered years ago but analyzed only recently was designed to subvert nuclear weapons testing simulations with the aim of undermining those tests and slowing the progress of a nuclear program. The new information, from researchers at the security firm Symantec, confirms what has only previously been speculated about the code by the company that first discovered it \u2014 SentinelOne.\u00a0<\/p>\n

The malicious code, known as Fast16, was designed to subvert at least two specialized software programs that were commonly used for simulating weapons explosions at the time the code was active in 2005. It cleverly swapped out legitimate data produced by the simulation software, replacing it with false data that was fed to engineers monitoring those simulated tests. Specifically, it waited until the simulation neared the point of \u201csupercriticality,\u201d when the chain reaction leading to a nuclear explosion would begin, and altered data pertaining to the pressure inside the uranium core to indicate to engineers that the pressure was insufficient to achieve supercriticality, even though the real data showed otherwise.<\/p>\n

This appears to have been aimed at tricking the engineers into believing the tests were less successful than they actually were, in order create confusion and slow the progress of the nuclear program Fast16 was targeting.<\/p>\n

Nuclear experts say that based on details contained in the code and the period in which it was active, they are certain the target was Iran\u2019s nuclear weapons program.<\/p>\n

\u201cWhile we cannot exclude other target countries working on nuclear weapons in the early 2000s, such as North Korea or possibly Syria, the timing, the access required [to create the malware] and the focus on uranium, point to Iran\u2019s nuclear weapons efforts being the target,\u201d David Albright, a physicist and founder and president of the Institute for Science and International Security, told Zero Day.<\/p>\n

The way the code acted is not very different from Stuxnet, a virus created by the US and Israel to subvert centrifuges<\/a> used by Iran to enrich uranium gas. That code, too, fed false data to operators to trick them into believing the centrifuges were fine, when they weren\u2019t.<\/p>\n

Fast16 only predates Stuxnet by about a year. The code was developed in 2005 according to evidence in the code, and there is evidence that Stuxnet was under development during this same period, though the latter wasn\u2019t unleashed on systems in Iran until 2007. There is evidence that Fast16 was likely also created by the US, Israel or another ally.<\/p>\n

\u201cWhile we cannot exclude other target countries working on nuclear weapons in the early 2000s, such as North Korea or possibly Syria, the timing, the access required [to create the malware] and the focus on uranium, point to Iran\u2019s nuclear weapons efforts being the target.\u201d \u2013 David Albright<\/strong><\/p><\/blockquote>\n

Although Stuxnet wasn\u2019t unleashed until two years after Fast16, domains used as command-and-control servers to communicate with Stuxnet were registered in November 2005 to prepare for it; and in early 2006, a sabotage test was conducted with Stuxnet in the US, showing proof of concept. The results from that test were presented to President George Bush at the time, who authorized the covert sabotage operation once he understood that it could succeed. In May 2006, the developers of Stuxnet made updates to their code, and sometime in the fall of 2007 it was secretly installed on machines in Iran by a Dutch mole<\/a>.<\/p>\n

All of this suggests that if Fast16 did target Iran in 2005, and if the US or Israel were behind it, it did not really predate Stuxnet, but was contemporaneous with it, and together they were part of a multi-pronged campaign by the US and its allies to subvert and slow Iran\u2019s nuclear ambitions.<\/p>\n

Stuxnet increased the pressure inside centrifuges and caused them to spin out of control, while feeding false data to operators to make them think the centrifuges were working fine. Fast16 took a different approach and fed operators false data about nuclear warheads testing to make engineers believe the tests were\u00a0not fine, while in fact they may have been.<\/p>\n

All of this suggests that the story of Fast16 is a new chapter in the west\u2019s two-decade campaign to halt or destroy Iran\u2019s nuclear program.\u00a0<\/p>\n

\"\"Facilities in Iran known or believed to be part of the nuclear program as of June 12, 2025. The sites marked in red are primary nuclear sites. Map: Thomas Gaulkin\/ Datawrapper. Source: Nuclear Threat InitiativeHow Fast16 Was Discovered<\/strong><\/p>\n

It\u2019s not clear if the victims of Fast16 ever discovered the code on their systems, but its existence first came to the attention of Juan Andres Guerrero-Saade, senior technical fellow for research and innovation at SentinelOne, when it was mentioned in an NSA tool leaked online in 2017<\/a>. The tool was just one of a tranche of NSA tools stolen by a mysterious group known as the Shadow Brokers. Fast16 code itself wasn\u2019t among the leaks, but the context in which it was mentioned in one of the tools implied that it was created by the NSA or an ally. The fact that it was mentioned in this leak also supports the belief that Fast16 wasn’t just proof-of-concept code that was never used in the wild, but had actually been unleashed on systems. When it was unleashed to infect systems, isn’t known. But in October 2017, someone uploaded a sample of the code to a site called Virus Total, where it sat unnoticed for two years. Virus Total is used by security firms and victims of cyberattacks to upload suspicious files, where they are scanned by multiple anti-virus engines to see if they are malicious. Given that the Shadow Brokers possessed a large collection of NSA tools and were threatening to publish them at the time, someone from that group may have uploaded it to the Virus Total site.<\/p>\n

Although earlier versions of the code may exist, this is the only one that\u2019s been uncovered by researchers so far.<\/p>\n

Last month, Guerrero-Saade and Vitaly Kamluk, an independent security researcher working on behalf of SentinelOne, announced<\/a> that in 2019, Guerrero-Saade had found the Fast16 sample, and after years of trying but failing to decipher the code, he and Kamluk decided to use AI to determine what it was designed to do, and were surprised by the results. The code, they said, was subverting software applications used for performing high-precision mathematical calculations, and concluded that it was likely targeting software used for conducting simulated tests of physical properties that required high precision.<\/p>\n

All of this suggests that if Fast16 did target Iran in 2005, and if the US or Israel were behind it, it did not really predate Stuxnet, but was contemporaneous with it, and together they were part of a multi-pronged campaign by the US and its allies to subvert and slow Iran\u2019s nuclear ambitions.<\/strong><\/p><\/blockquote>\n

Although Guerrero-Saade and Kamluk didn\u2019t know which simulation software Fast16 was targeting or what tests it was attempting to disrupt, they speculated that it was most likely trying to undermine software being used for simulating nuclear weapons explosions. They suggested three possible software programs that could be the target: Modelo Hidrodin\u00e2mico, commonly used for modeling water systems, a program out of China called PKPM, and the US-made LS-DYNA. Iran is known to have used LS-DYNA to do work in explosives research, leading SentinelOne\u2019s researchers to believe this was Fast16\u2019s most likely target.<\/p>\n

Now new analysis this week from researchers with the Threat Hunter Team at Symantec \u2014 who were also responsible years ago for deciphering Stuxnet \u2014 confirms that LS-DYNA was indeed one of the software programs targeted by Fast16, and that the code was aimed at subverting simulated tests of nuclear explosions that were conducted with the software. The team is publishing their research today<\/a>, which provides details on how Fast16 worked to subvert such tests. Albright and colleagues at the Institute for Science and International Security are also posting their analysis<\/a> today on the nuclear-weapons testing phases that Fast16 targeted.<\/p>\n

According to Vikram Thakur, technical director for Symantec,\u00a0 and Eric Chien, a fellow in Symantec’s security technology and response division, Fast16 targets at least two software simulation programs \u2014 LS-DYNA and AUTODYN. It may also target one other program, though the Symantec researchers were unable to identify it from the code.<\/p>\n

LS-DYNA was developed in the 1970s at Lawrence Livermore National Laboratory and turned into a commercial product in the 1980s. It\u2019s used to evaluate physical phenomena such as the strength of metals and impact from collisions, including things like vehicle and plane crashes. But it\u2019s also used to model the types of high compression needed for nuclear warheads. AUTODYN is a similar software distributed by Ansys, the same company that now owns LS-DYNA. Both programs are used to simulate the same kinds of things and, according to various academic publications, both were being used in Iran during the time that Fast16 would have been active, Albright says.<\/p>\n

Although the programs can be used for various types of simulations, Fast16 is singularly focused, and is only interested in the programs when they are modeling high-explosive detonations. Fast16 determines which software is being used, and only engages when it\u2019s sure the program is simulating a high-explosive detonation and using specific models to do so.<\/p>\n

Nuclear explosions can be simulated using a number of different mathematical models developed over the years by engineers and physicists. These models differ by the level of pressure, volume and density being simulated in them, as well as the various states of change that occur as a result of the interaction between these elements. The LS-DYNA and AUTODYN programs allow users to choose which model they want for a particular simulation, and Fast16 only engages if one of three specific models is being used.<\/p>\n

Before going into what Fast16 does, it\u2019s important to understand the context in which it was unleashed.<\/p>\n

\"\"Iran’s Natanz compound where it built two large underground halls capable of holding 50,000 centrifuges to enrich uranium gas. The site was a target in recent bombings. Image: Courtesy of the Institute for Science and International SecurityIran\u2019s Nuclear Program<\/strong><\/p>\n

In August 2002, the National Council of Resistance, an Iranian dissident group, held a press conference in Washington, DC, to reveal that Iran had an illicit nuclear weapons program, which involved secret facilities in a number of locations around the country. It\u2019s believed that they received this information from western intelligence agencies who had been tracking the program.<\/p>\n

The International Atomic Energy Agency, the UN body responsible for monitoring nuclear programs around the world, demanded access to the locations, and in February 2003, were able to visit them for the first time. The IAEA inspectors determined that Iran had not fully revealed its nuclear program to the IAEA, as required under the Nuclear Non-Proliferation Treaty it had signed, and that the program was much further along than they had anticipated. The inspectors also suspected that Iran wasn\u2019t just enriching uranium for a nuclear power plant, as Iran insisted, but also had a nuclear weapons program. Although the inspectors found some indications of a small nuclear weapons program during their visit, they didn\u2019t know its scope and missed that Iran actually had a much large nuclear weapons effort in progress, codenamed the Amad Project.\u00a0This would become apparent only later.<\/p>\n

If you have additional information about Fast16 or about efforts to sabotage Iran’s nuclear program, you can contact me securely via the following:<\/p>\n

Signal – KimZ.42<\/strong><\/b><\/p>\n

Keybase – kimzet<\/strong><\/b><\/p>\n

kzetter@protonmail.com<\/strong><\/b><\/p>\n

If you’d like to advertise on Zero Day, you can reach me at countdowntozeroday@gmail.com<\/strong><\/b><\/p>\n

The US and other countries pressured Iran to suspend its nuclear program until the IAEA could gather more information about it, to determine how far along the program was and how far Iran might be from having a fully stocked enrichment hall, as well as enough enriched uranium to make a nuclear bomb.<\/p>\n

In November 2004, Iran agreed to a suspension while it engaged in negotiations with the EU. But in early August 2005, the talks reached an impasse, and Iran announced that it was withdrawing from the suspension agreement. It also announced it was proceeding with its nuclear program, including enriching uranium gas for the first time at the Natanz facility.<\/p>\n

By this point, the Fast16 code had already been in development for a while, based on evidence in the code, as were plans for Stuxnet. On August 30, the Fast16 code was compiled, according to a timestamp contained in it. <\/p>\n

Albright notes that between 2003 and 2005, when Fast16 was being developed, intelligence agencies believed that Iran had an active nuclear weapons program, and that simulation teams were engaged in modeling nuclear explosions. A US intelligence assessment would later assert in 2007 that Iran had halted the weapons part of its nuclear program in 2003<\/a>, but intelligence agencies in Israel and Germany have long insisted that while this was true, Iran revived the program in 2005.<\/p>\n

Albright believes it was revived, but in a much different form. Funding for the program was mostly diverted to other things, and the program continued at a greatly reduced scale. He believes research continued, but without kinetic testing \u2014 just computer simulations, such as those that could be conducted using the LS-DYNA and AUTODYN software programs. In the absence of alternative means of testing nuclear weapons explosions, this made the software simulations especially important; but it also made them a choice target for intelligence agencies.<\/p>\n

According to Iranian documents Israel obtained in 2018, Iran\u2019s nuclear weapons program had already been encountering problems before it halted in 2003, due to design issues and insufficient scientific knowledge. Albright says these problems likely \u201cpersisted into the time when [Fast16] was active.\u201d\u00a0<\/p>\n

For paid subscribers: To see a detailed timeline of key dates and events around Stuxnet, Fast16 and Iran\u2019s nuclear program, <\/strong>click here<\/strong><\/a>.<\/strong><\/p>\n

\"\"Former Iranian President Mahmoud Ahmadinejad touring centrifuges at the Natanz plant in 2008. Ahmadinejad was president of Iran from 2005-2013. Photo: Courtesy of the Office of the President of IranFast16 at Work<\/strong><\/p>\n

SentinelOne has already described in their research some of what Fast16 does when it first infects a system. It looks for the presence of 18 different security products on the system, and if it finds one of these, it won\u2019t infect the computer. It also automatically spreads to other computers on the same network so that any computer that\u2019s used to run the simulations will produce the same manipulated results. Fast16 also contains support for 8 to 10 different versions of the LS-DYNA software, so that regardless of which version a computer is using, Fast16 will be able to subvert it.\u00a0<\/p>\n

The Symantec researchers have added some new details around this. According to Thakur, code for these various versions was not added at the same time or even sequentially as new versions of the LS-DYNA software were released. Instead, it appeared to be added out of sequence, suggesting that the developers were adding support for different versions over time and based on what the targeted engineers were using at a point in time. This raises the possibility that they were receiving ongoing intelligence whenever engineers switched the version of the simulation software they were using. They believe that as Fast16 did its work to manipulate test results, engineers may have believed the software was the problem and switched to older or newer versions of the LS-DYNA program to see if the results improved.<\/p>\n

Once the malware determined that the right simulation software was running, it would wait for indications that a high-precision explosives test, matching various parameters, was running. Once the test began, Fast16 waited for a specific stage in the explosives simulation.\u00a0<\/p>\n

At the time, Iran was developing and testing high-explosive components for a spherical implosion nuclear weapon. The way such weapons work is that high explosives are packed around a spherical uranium core and ignited. This creates a shockwave that propels a so-called metal \u201cflyer plate\u201d to strike the uranium core, like a hammer, with tremendous force. This compresses the core into a highly pressurized and high-temperature state, which causes neutrons to leak from the uranium. In such a pressurized state, those neutrons collide with nuclei, and cause the nuclei to split and leak more neutrons. These neutrons in turn strike other uranium nuclei in a chain reaction, creating a nuclear explosion.<\/p>\n

To test such explosions, Iran used simulation software to determine how many explosives and how much pressure was needed to achieve the \u201csupercriticality\u201d state that would cause a chain reaction.<\/p>\n

Simulation software helps capture this extremely rapid process through streams of data and graphs, allowing engineers to study it and run different models. Running numerous simulations using different models allows the engineers to see how changing variables like pressure, density, and temperature increase as the compression occurs. This is where Fast16 came in.\u00a0<\/p>\n

The malware would monitor the density of the uranium core, according to Symantec and Albright, and when that value reached 30 grams per cubic centimeters \u2014 a point slightly below the density at which compressed uranium starts to become liquid \u2014 Fast16 would begin to swap out real data about the density of the core, before it appeared on the graphs that engineers were monitoring. It would replace it with false data that indicated that things like the pressure, were lower than they should be. The engineers might conclude from this that their design had failed \u2013 that the uranium core had failed to reach supercriticality.<\/p>\n

Albright says the changes on the graph would likely not have appeared unusual to engineers if the malware lowered the correct values by just 1 to 5 percent. But it would still cause them to believe there had been insufficient force applied to the core to achieve supercriticality. The engineers might think they needed to change their mathematical calculations or apply more explosive force to compress the uranium core \u2013 all in a fruitless endeavor to achieve the results they were seeking.<\/p>\n

But if they added explosives to apply more force against the core, or changed other variables to increase the compression, this could have created more problems, Albright says. And any time they ran another simulation, they would still not get the results they expected.\u00a0<\/p>\n

\u201cWe\u2019re thinking it could have been very disruptive,\u201d Albright says. \u201cThe effect would be to waste time, resources, and lower the overall morale of the program.\u201d<\/p>\n

What they likely would not have done, was think the computer or software had been subverted. Today, in the wake of Stuxnet, it might seem obvious for someone to suspect this. But back in 2005, Thakur notes, computers were still considered mostly trustworthy. And because Fast16 spread to computers across the internal network, even if they tried to use a different computer, they would still get the same results.<\/p>\n

Albright highly doubts that faulty calculations would have made their way into real systems, causing something to explode in unintended ways. Instead, he says, the engineers would have noticed they were getting bad results and been frustrated by repeated failed attempts to resolve the issues. This could have undermined confidence in their designs and potentially created tension and conflict among team members as they tried to fix a problem that didn\u2019t exist. Such frustration could have led to significant delays in the nuclear bomb-making program.<\/p>\n

All of this suggests that the goal wasn\u2019t to sabotage a completed bomb, but to prevent one from ever being made \u2014 at least long enough to bring Iran back to the negotiation table.<\/p>\n

The latter was, in fact, also the aim of Stuxnet. This malicious code wasn\u2019t designed for one-time catastrophic damage that would destroy all of Iran\u2019s centrifuges; it was aimed at doing incremental damage over time, in a way that prevented engineers from pinpointing the problem \u2014 all with the aim of slowing down the enrichment program, in order to buy time to get Iran back into negotiations.<\/p>\n

\"\"Satellite image showing recent bombing damage at Shahid Boroujerdi, part of the Parchin complex in Iran. Image Pleiades 2026, Distribution Airbus DS. Courtesy of the Institute for Science and International SecurityFast16 and Stuxnet in a League of Their Own<\/strong><\/p>\n

Although Fast16 is deceptively simple malware, the Symantec researchers say it\u2019s in an \u201cexclusive league,\u201d because it required deep expertise and understanding of the software and nuclear process it was targeting as well as an understanding of the materials being tested and the precise data changes needed to achieve the desired effect.<\/p>\n

\u201cThe level of expertise required to [create it], and then of course the human effort to execute it, was massive,\u201d Thakur says.<\/p>\n

The knowledge and skill needed to pull it off would be unusual in any era, he says, but the fact that it was developed in 2005 is \u201cmind-blowing.\u201d<\/p>\n

That said, Stuxnet is still the most advanced malware Thakur and his colleagues have ever seen. But Stuxnet and Fast16 share a conceptual framework in that both attacks involved subverting the integrity of data. Furthermore, in both cases, the attackers needed to get into difficult-to-reach, air-gapped and secure environments; they had to understand with certainty how that environment worked; and they had to implement precision changes to achieve their goal. They also had to do this without being detected.<\/p>\n

The revelations about Fast16 are a reminder to Iranian decision makers and nuclear engineers that nothing in the program is out of reach or safe from digital sabotage.<\/strong><\/p><\/blockquote>\n

Stuxnet remained undetected for three years. It was only discovered after it began spreading to systems outside of Natanz, and caused those machines to crash.\u00a0<\/p>\n

Even after it\u2019s discovery, however, it continued to undermine the nuclear program in a different way: by undermining the confidence Iranian engineers had in the computers and equipment being used in the nuclear program. It made them suspicious that any time they experienced a glitch, sabotage might be the cause. The same applies to\u00a0Fast16.<\/p>\n

The new revelations about this remarkable code come at a significant time \u2014 when the US and Israel continue their efforts to eliminate Iran’s nuclear program, but this time using different means.<\/p>\n

Kinetic attacks on Iran have so far not succeeded in eliminating the program completely. But as the US and Iran continue to pressure Iran to make a deal to end \u2013 or at least pause the program for many years \u2013 the revelations about Fast16 are a reminder to Iranian decision makers and nuclear engineers that nothing in the program is out of reach, or safe from digital sabotage.<\/p>\n

For paid subscribers: To see a timeline of key dates and events around Stuxnet, Fast16 and Iran\u2019s nuclear program, <\/strong>click here<\/strong><\/a>. <\/p>\n

See also:<\/strong><\/p>\n

Countdown to Zero Day: Stuxnet and the Launch of the World\u2019s First Digital Weapon<\/strong><\/a><\/p>\n

Leaked Files Show How the NSA Tracks Other Countries\u2019 Hackers<\/strong><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Researchers have confirmed that a remarkable piece of malware discovered years ago but analyzed only recently was designed…\n","protected":false},"author":3,"featured_media":802046,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[99,50],"class_list":{"0":"post-802045","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"tag-israel","9":"tag-news"},"share_on_mastodon":{"url":"https:\/\/pubeurope.com\/@us\/116587895997054194","error":""},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/posts\/802045","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/comments?post=802045"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/posts\/802045\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/media\/802046"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/media?parent=802045"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/categories?post=802045"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/tags?post=802045"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}