Experts Confirm the Fast16 Malware Was Sabotaging Nuclear Weapons Tests, Likely in Iran

Sign in<br>Subscribe

Researchers have confirmed that a remarkable piece of malware discovered years ago but analyzed only recently was designed to subvert nuclear weapons testing simulations with the aim of undermining those tests and slowing the progress of a nuclear program. The new report, from researchers at the security firm Symantec, confirms what has only previously been speculated about the code by the company that first discovered it — SentinelOne.<br>The malicious code, known as Fast16, was designed to subvert at least two specialized software programs that were commonly used for simulating weapons explosions at the time the code was active in 2005. According to Vikram Thakur, technical director for Symantec, and Eric Chien, a fellow in Symantec's security technology and response division, it cleverly swapped out legitimate data produced by the simulation software, replacing it with false data that was fed to engineers monitoring those simulated tests. Specifically, it waited until the simulation neared the point of “supercriticality,” when the chain reaction leading to a nuclear explosion would begin, and altered data pertaining to the pressure inside the uranium core to indicate to engineers that the pressure was insufficient to achieve supercriticality, even though the real data showed otherwise.<br>This appears to have been aimed at tricking the engineers into believing the tests were less successful than they actually were, in order create confusion and slow the progress of the nuclear program Fast16 was targeting.<br>Nuclear experts say that based on details contained in the code and the period in which it was active, they are certain the target was Iran’s nuclear weapons program.<br>“While we cannot exclude other target countries working on nuclear weapons in the early 2000s, such as North Korea or possibly Syria, the timing, the access required [to create the malware] and the focus on uranium, point to Iran’s nuclear weapons efforts being the target,” David Albright, a physicist and founder and president of the Institute for Science and International Security, told Zero Day.<br>The way the code acted is not very different from Stuxnet, a virus created by the US and Israel to subvert centrifuges used by Iran to enrich uranium gas. That code, too, fed false data to operators to trick them into believing the centrifuges were fine, when they weren’t.<br>Fast16 only predates Stuxnet by about a year. The code was developed in 2005 according to evidence in the code, and there is evidence that Stuxnet was under development during this same period, though the latter wasn’t unleashed on systems in Iran until 2007. There is evidence that Fast16 was likely also created by the US, Israel or another ally.<br>“While we cannot exclude other target countries working on nuclear weapons in the early 2000s, such as North Korea or possibly Syria, the timing, the access required [to create the malware] and the focus on uranium, point to Iran’s nuclear weapons efforts being the target.” – David Albright<br>Although Stuxnet wasn’t unleashed until two years after Fast16, domains used as command-and-control servers to communicate with Stuxnet were registered in November 2005 to prepare for it; and in early 2006, a sabotage test was conducted with Stuxnet in the US, showing proof of concept. The results from that test were presented to President George Bush at the time, who authorized the covert sabotage operation once he understood that it could succeed. In May 2006, the developers of Stuxnet made updates to their code, and sometime in the fall of 2007 it was secretly installed on machines in Iran by a Dutch mole.<br>All of this suggests that if Fast16 did target Iran in 2005, and if the US or Israel were behind it, it did not really predate Stuxnet, but was contemporaneous with it, and together they were part of a multi-pronged campaign by the US and its allies to subvert and slow Iran’s nuclear ambitions.<br>Stuxnet increased the pressure inside centrifuges and caused them to spin out of control, while feeding false data to operators to make them think the centrifuges were working fine. Fast16 took a different approach and fed operators false data about nuclear warheads testing to make engineers believe the tests were not fine, while in fact they may have been.<br>All of this suggests that the story of Fast16 is a new chapter in the west’s two-decade campaign to halt or destroy Iran’s nuclear program.<br>Facilities in Iran known or believed to be part of the nuclear program as of June 12, 2025. The sites marked in red are primary nuclear sites. Map: Thomas Gaulkin/ Datawrapper. Source: Nuclear Threat Initiative<br>How Fast16 Was Discovered<br>It’s not clear if the victims of Fast16 ever discovered the code on their systems, but its existence first came to the attention of Juan Andres Guerrero-Saade, senior technical fellow for research and innovation at SentinelOne,...