The Cipher

Daily brief · Cyber · AI · Tech

Daily brief at 7am Melbourne. Unsubscribe any time.

← The Cipher

Sunday 26 April 2026

Before Stuxnet, There Was 'fast16': Researchers Uncover a Lost Chapter of Cyberwarfare History

A pre-Stuxnet sabotage framework surfaces, Google bets $40B on Anthropic, and a new Teams-based malware campaign is quietly emptying inboxes.

Lead story

Before Stuxnet, There Was 'fast16': Researchers Uncover a Lost Chapter of Cyberwarfare History

Stuxnet has long been treated as the opening act of nation-state cyberwarfare — the moment a piece of code first physically destroyed hardware. But new research from SentinelOne suggests that story needs a rewrite. Analysts have uncovered a previously unknown malware framework called fast16 that predates Stuxnet by several years, with evidence pointing to development as early as 2005.

The malware is built in Lua — an unusual choice that itself hints at a sophisticated, deliberate author — and was designed to target high-precision engineering calculation software. The implication is clear: someone, well before Stuxnet's 2010 discovery, was already writing code intended to corrupt the kind of software used in industrial and scientific processes. The most obvious candidate for a target, given the timeline and the focus on precision engineering tools, is Iran's uranium enrichment programme.

What makes this discovery genuinely significant isn't just the historical footnote. It's what it tells us about the true timeline of offensive cyber capability. Stuxnet's 2010 exposure was treated as a watershed — proof that a cyberweapon could jump the air gap and physically sabotage centrifuges. But if fast16 was operational five years earlier, the development arc of nation-state cyber operations is longer, and likely more advanced, than the public record has ever reflected.

It also raises an uncomfortable question: how many other pre-Stuxnet tools are still sitting in malware repositories, misclassified or unanalysed, waiting for someone to connect the dots? SentinelOne's research suggests that the lineage of ICS-targeted malware — Industroyer, Triton, Pipedream — has roots deeper than the industry has formally documented.

For defenders of operational technology (OT) and industrial control systems (ICS), the research is a useful reminder that the threat model for critical infrastructure has always been longer in the making than the public disclosures suggest. Adversaries invest years in capability development before deployment. The attack you're patching against today was probably designed half a decade ago.

SentinelOne hasn't publicly attributed fast16 to a specific nation-state, which is the right call given the evidence available. Attribution in cyberwarfare is notoriously hard, and the consequences of getting it wrong are serious. But the targeting profile and the technical sophistication point toward a well-resourced state actor with a specific geopolitical interest in slowing Iran's nuclear ambitions — which, in 2005, was a short list.

What to watch: Whether other vendors start re-examining historical malware samples through the lens of this discovery. SentinelOne has essentially published a methodology as much as a finding. Expect follow-on research. Also watch for any Iranian or IAEA response — fast16's existence, if confirmed to have been deployed, represents another chapter in a covert campaign against their nuclear infrastructure that Tehran has rarely acknowledged openly.

Also today

Google Doubles Down on Anthropic With $40B Investment

Google has committed up to $40 billion in Anthropic, the AI safety company behind the Claude model family. The deal follows a separate investment from Amazon just days prior, suggesting the two cloud giants are locked in a bidding war for influence over one of the few credible alternatives to OpenAI. For Anthropic, the funding provides runway to compete at the frontier — and leverage to stay independent in name, even as it grows increasingly dependent on two of the world's largest infrastructure providers. The investment also signals that the AI arms race is far from cooling; if anything, the capital commitments are accelerating.

Ars Technica

UNC6692 Deploys 'Snow' Malware Suite via Microsoft Teams

A threat group designated UNC6692 is abusing Microsoft Teams to deliver a novel multi-component malware toolkit called Snow. The campaign uses social engineering — impersonating IT help desk staff — to trick targets into granting access, after which the attackers deploy a browser extension that can harvest credentials, a tunneller for covert network access, and a full backdoor. The Teams vector is increasingly attractive to attackers because many organisations whitelist it by default and employees are conditioned to trust internal-looking messages. This is not the first Teams-based campaign, but the custom tooling here suggests a more capable, persistent actor than typical opportunists.

Bleeping Computer

ADT Confirms Breach as ShinyHunters Applies Extortion Pressure

Home security provider ADT has acknowledged a data breach after the ShinyHunters group threatened to publish stolen data unless a ransom was paid. ADT hasn't disclosed the full scope of what was taken, but ShinyHunters has a credible track record — the group was behind the Snowflake-linked breaches that hit Ticketmaster and dozens of other firms. The irony of a home security company failing to secure its own customer data is not subtle. Affected customers should watch for phishing attempts that use personal details to appear legitimate, since that's typically how stolen data from these breaches gets monetised downstream.

Bleeping Computer

CISA Adds Four Actively Exploited Flaws to KEV Catalogue

The US Cybersecurity and Infrastructure Security Agency has added four vulnerabilities to its Known Exploited Vulnerabilities catalogue, affecting SimpleHelp remote support software, Samsung's MagicINFO 9 digital signage server, and D-Link DIR-823X routers. The SimpleHelp flaw carries a near-perfect CVSS score of 9.9 and involves missing authorisation checks. Federal agencies have been given a May 2026 deadline to remediate. SimpleHelp and Samsung MagicINFO are common in enterprise environments; D-Link routers are widespread in small business and home office settings. If you manage any of these, treat this as a drop-everything patch situation.

The Hacker News

GopherWhisker: China-Linked APT Hides in Plain Sight Using Legitimate Cloud Services

A newly tracked Chinese threat actor called GopherWhisper has been observed targeting government organisations by routing malicious traffic through legitimate cloud and web services — a living-off-trusted-infrastructure technique that makes detection significantly harder. The group deploys multiple Go-based backdoors alongside custom loaders and code injectors. Using legitimate services as command-and-control channels means traditional domain blocklists and IP reputation tools offer little protection. The Go tooling is consistent with several other Chinese APT clusters, suggesting shared development resources or a common supplier within China's state-sponsored ecosystem.

SecurityWeek

DeepSeek V4 Preview: Three Reasons It Actually Matters

DeepSeek has released a preview of V4, its new flagship model, and MIT Technology Review argues it deserves more attention than the usual "China releases another model" take. The key upgrade is a new architecture that handles much longer context windows more efficiently — a meaningful practical improvement for enterprise and research use cases. It's also open source, which means it will be fine-tuned, red-teamed, and embedded in products within weeks of release. DeepSeek continues to punch above its weight relative to its reported compute budget, which keeps pressure on US labs to justify their vastly larger spending.

MIT Technology Review

Cohere and Aleph Alpha Merge to Build a Transatlantic AI Alternative

Canadian enterprise AI firm Cohere is merging with Germany's Aleph Alpha, backed by Schwarz Group — the retail conglomerate behind Lidl. The stated goal is a sovereign AI stack for European and Canadian enterprises that don't want their sensitive data processed by American hyperscalers. Both companies have positioned themselves as the compliance-friendly, privacy-respecting alternative to OpenAI and Google. The Schwarz Group backing is notable: it gives the combined entity a major enterprise anchor customer and distribution reach across Europe. Whether "sovereign AI" is a genuine differentiator or a marketing wrapper remains to be tested.

TechCrunch

Discord Investigators Breach Anthropic's Internal 'Mythos' System

A group of amateur sleuths operating via Discord managed to gain unauthorised access to Mythos, an internal Anthropic system, according to Wired's security roundup. Details on the method of access are limited, but the incident sits alongside a broader pattern of AI company internal tools being probed and accessed by outsiders — partly because these companies are building fast and security controls don't always keep pace. Anthropic has not publicly detailed what Mythos contains or what, if anything, was exposed. The incident is a useful reminder that even the most safety-conscious AI lab is still a tech company with the usual attack surface.

WIRED

OpenAI Apologises Over Tumbler Ridge Mass Shooting Failure

OpenAI CEO Sam Altman has written a public apology to residents of Tumbler Ridge, a small British Columbia community, after it emerged that the company failed to notify law enforcement when its systems flagged a user who later carried out a mass shooting. The letter acknowledges the failure directly and describes it as deeply regrettable. The incident raises hard questions about what obligations AI companies have when their models surface credible threats — and whether current reporting frameworks, which are largely voluntary, are fit for purpose. It's the kind of case that tends to accelerate regulatory conversations about mandatory disclosure.

TechCrunch

Trump Dismisses Entire National Science Board

The Trump administration has terminated the full membership of the National Science Board, the body that oversees the National Science Foundation and advises Congress and the White House on science policy. The NSF has already been operating at historically suppressed funding levels, with significant delays in grant disbursements. The board's dismissal effectively removes an independent check on how the US government prioritises and funds basic research — the kind of research that produced foundational technologies in wireless communications, medical imaging, and internet infrastructure. Critics are framing it as the latest step in a broader effort to restructure federal science institutions.

The Verge

Apple's Hardware-First Era: What a Ternus CEO Means for the Product Roadmap

John Ternus, Apple's incoming chief executive, has spent his career on the hardware side of the company — he oversaw the M-series chip transition and the redesign of the MacBook Pro line. His elevation signals that Apple may be pivoting back toward devices as its primary identity, after years in which services revenue dominated the strategy conversation. For the tech industry broadly, an Apple that's chasing hardware differentiation again could reignite competition in laptop and mobile form factors that has been relatively stagnant. It also raises questions about how aggressively Apple will integrate AI at the hardware level, where Ternus's instincts are strongest.

TechCrunch

Sources consulted