Key Findings

• New malware strain named ZionSiphon discovered targeting Israeli water treatment and desalination plants

• Malware designed to alter chlorine levels and water pressure in critical infrastructure systems

• Contains hardcoded targeting for specific Israeli facilities and IP ranges

• Includes political messaging supporting Iran, Yemen, and Palestine

• Critical flaw in targeting logic prevents malware from executing payload, rendering current sample ineffective

• Threat actors identified as 0xICS; malware appears incomplete or still in development

• Spreads via USB drives using fake shortcuts and persistence mechanisms

• Demonstrates growing trend of state-sponsored actors developing OT-focused malware

Background

Darktrace researchers identified ZionSiphon, a malware strain specifically engineered to target operational technology systems managing water treatment and desalination across Israel. Desalination is critical infrastructure in Israel, converting saltwater into drinking water for the nation's population. While the discovered sample remains incomplete, its design reveals serious intent to cause real-world damage by manipulating physical systems rather than simply stealing data.

Attack Capabilities and Methods

ZionSiphon employs several sophisticated techniques to evade detection and maintain persistence. Upon infection, it checks for administrative rights using RunAsAdmin() and masks itself as svchost.exe, a legitimate Windows process. The malware creates a registry key named SystemHealthCheck to ensure it survives system reboots.

The malware spreads through removable media, automatically copying itself to any USB drive connected to an infected system. It hides the original files and creates deceptive shortcuts using CreateUSBShortcut(), tricking users into executing the payload when they click what appears to be a normal file.

ZionSiphon scans networks for Industrial Control System protocols including Modbus, DNP3, and S7comm. It searches for configuration files like DesalConfig.ini and ChlorineControl.dat that control water treatment operations. The Modbus functionality is most developed, allowing the malware to read and modify registers controlling critical parameters.

Specific Targeting

The malware contains hardcoded IP ranges restricted to Israeli networks: 2.52.0.0-2.55.255.255, 79.176.0.0-79.191.255.255, and 212.150.0.0-212.150.255.255. It specifically targets five major Israeli water facilities: Sorek, Hadera, Ashdod, Shafdan, and Palmachim.

ZionSiphon performs multiple verification checks to confirm it is operating on an Israeli target system before activating its sabotage functions. If target validation fails, the malware triggers a self-destruct routine that removes persistence mechanisms and attempts to delete itself.

Political Messaging and Attribution

Code analysis revealed Base64-encoded strings expressing support for Iran, Yemen, and Palestine. One message references "poisoning the population of Tel Aviv and Haifa." The malware also mentions Dimona, a city known for hosting Israel's nuclear research facility. Threat actors identified themselves as 0xICS, suggesting ideological rather than purely financial motivations.

Critical Flaw Renders Current Sample Inactive

Despite its sophisticated design, ZionSiphon contains a significant coding error that prevents it from operating. The malware includes a country-verification function that compares encrypted values to confirm execution on Israeli systems. However, a flaw in the encryption logic causes the check to always fail, even on valid targets. This mismatch triggers the self-destruct routine before any payload executes.

The malware writes a log message documenting the verification failure and creates a delete.bat script to remove traces. Researchers believe the sample is either intentionally disabled, misconfigured, or remains unfinished.

Implications for Critical Infrastructure

Security experts note that ZionSiphon represents a troubling trend of threat actors developing malware specifically designed for operational technology environments. Even in its broken state, the malware demonstrates clear intent and technical capability to disrupt water systems by manipulating pressure and chlorine levels to unsafe levels.

The discovery underscores the vulnerability of critical infrastructure to OT-focused attacks. Experts recommend enhanced monitoring of water treatment facilities, rapid anomaly detection systems, and improved visibility between IT and OT network environments to identify similar threats before they become operational.

Sources

• https://hackread.com/zionsiphon-malware-target-israeli-water-systems/

• https://securityaffairs.com/190922/malware/inside-zionsiphon-politically-driven-malware-aims-at-israeli-water-systems.html

• https://gbhackers.com/zionsiphon-malware/amp/

• https://www.securityweek.com/zionsiphon-malware-targets-ics-in-water-facilities/amp/

• https://www.bleepingcomputer.com/news/security/zionsiphon-malware-designed-to-sabotage-water-treatment-systems/

• https://www.darktrace.com/blog/inside-zionsiphon-darktraces-analysis-of-ot-malware-targeting-israeli-water-systems