A newly identified malware, dubbed ZionSiphon, poses a significant threat to Israel’s critical water infrastructure, specifically targeting desalination plants with the intent to sabotage operations. This sophisticated cyber weapon, discovered by Darktrace analysts, is designed with politically motivated messages and a clear focus on disrupting the supply of clean water to millions.
ZionSiphon Malware Targets Israeli Water Infrastructure
ZionSiphon is distinguished by its highly specific targeting, featuring hardcoded Israeli IP address ranges and politically charged embedded messages. One decoded string reveals a statement of support for Iran, Palestine, and Yemen against “Zionist aggression,” identifying the operator as “0xICS.” Another chilling message explicitly references “Poisoning the population of Tel Aviv and Haifa,” indicating a malicious intent to cause widespread harm.
Darktrace’s detailed analysis indicates that ZionSiphon combines several host-based attack capabilities. These include mechanisms for escalating privileges, ensuring persistence on compromised systems, spreading via USB drives, and scanning for Operational Technology (OT)-relevant services within local networks. While many of these individual features are common in general malware, the combination of politically charged rhetoric, Israel-specific targeting, and a deliberate focus on desalination processes sets ZionSiphon apart from less sophisticated cyber threats.
The malware’s target list includes specific names of key Israeli water infrastructure entities. Notably, it names Mekorot, Israel’s national water company, as well as four major seawater desalination plants: Sorek, Hadera, Ashdod, and Palmachim. The Shafdan wastewater treatment facility is also listed, demonstrating that the attackers possess a clear understanding of the structure and importance of the country’s water sector.
The most concerning aspect of ZionSiphon is its sabotage logic. Once the malware verifies it is operating within a suitable water treatment environment, it attempts to alter critical configuration files. It injects specific values such as “Chlorine_Dose=10,” “Chlorine_Pump=ON,” “Chlorine_Flow=MAX,” “Chlorine_Valve=OPEN,” and “RO_Pressure=80.” If successful, these modifications could lead to dangerous manipulations of chlorine levels and pressure within the water supply, potentially rendering it unsafe for consumption.
Infection Mechanism and OT Protocol Targeting
Upon gaining initial access, ZionSiphon proceeds to establish a hidden presence and scan for industrial control devices. Its persistence routine involves copying the malware to a concealed location under the guise of “svchost.exe,” a legitimate Windows process name. It then creates a registry entry labeled “SystemHealthCheck,” directing the system to this hidden copy. This method is designed to evade detection by users and basic monitoring tools.
Following the establishment of persistence, ZionSiphon initiates a subnet-wide scan targeting OT devices. It probes for services listening on common industrial communication ports: port 502 for Modbus, port 20000 for DNP3, and port 102 for S7comm. These protocols are widely used in water treatment plants and other critical infrastructure. The malware then conducts a secondary validation to confirm the protocol type before attempting to send commands.
The Modbus protocol appears to be the most developed target within ZionSiphon’s scanning functionality. The malware sends a “Read Holding Registers” request and analyzes the returned values. It then attempts to identify and write to registers controlling crucial parameters like chlorine dosage. If a specific register cannot be identified through analysis, the malware defaults to using hardcoded Modbus write frames, ensuring an attempted modification regardless of the precise system configuration. This fallback mechanism suggests the attacker may not have had complete knowledge of the target systems but was determined to execute some form of interference.
The DNP3 and S7comm components of ZionSiphon appear to be less complete. While they contain protocol-accurate prefix sequences, indicating an intention to develop multi-protocol OT attack capabilities, the code fragments are insufficient to form valid commands. Darktrace’s analysis suggests the analyzed version might be a development build, an early deployment, or a version intentionally limited for testing purposes.
Additionally, ZionSiphon incorporates a USB propagation feature. It scans for removable drives and copies itself onto them using the “svchost.exe” filename, marking the files as hidden and system files. It also creates shortcut files that mimic regular documents. When a user clicks these shortcuts, the malware is unknowingly executed, facilitating its spread across a network.
For organizations operating critical infrastructure, especially within the water and utility sectors, Darktrace’s findings highlight the imperative for continuous monitoring across both IT and OT environments. Security teams must maintain high visibility into industrial control system networks, scrutinize for unexpected changes in ICS configuration files, monitor for USB-based propagation attempts, and ensure comprehensive logging and analysis of Modbus, DNP3, and S7comm traffic. Maintaining cross-visibility between IT and OT systems is crucial for detecting and mitigating threats like ZionSiphon before they can cause tangible damage.