What happened
Researchers at Darktrace have identified a new malware called ZionSiphon that is purpose-built to target water treatment and desalination systems and cause physical damage to their operations. The malware is designed to manipulate chlorine dosing and hydraulic pressure by appending configuration changes directly to OT and ICS files, with a dedicated function that sets chlorine levels, pump states, flow rates, and reverse osmosis pressure to maximum values. ZionSiphon also scans local subnets for Modbus, DNP3, and S7comm industrial protocols and includes a USB propagation mechanism that disguises itself as a hidden svchost.exe process and plants malicious shortcut files, a method suited for reaching air-gapped systems. Based on IP targeting logic and embedded political strings, the malware appears to be focused on Israeli targets. In its current form, ZionSiphon is non-functional due to an XOR mismatch in its country verification logic that causes it to self-destruct instead of executing its payload. Darktrace warns the flaw is minor and a future version could correct it.
Who is affected
Water treatment and desalination facilities, particularly those operating in Israel, are the intended targets based on the malware’s embedded targeting logic. Operators of OT and ICS environments running air-gapped or internet-isolated systems are also relevant, given ZionSiphon’s USB propagation capability and its design to interact with industrial control protocols.
Why CISOs should care
ZionSiphon is inert now, but only because of a coding error its authors can fix at any time. The malware shows clear intent to cause physical harm through chemical manipulation of water infrastructure, and its USB propagation method is specifically designed to bypass air-gap isolation. For security leaders responsible for OT environments or critical infrastructure, this is an early warning on a threat that is closer to operational than it should be.
3 practical actions
- Audit removable media controls: Review USB access policies on OT and ICS systems, particularly those managing chemical dosing, pressure, or treatment settings, and enforce hardware-level restrictions where possible.
- Check ICS configuration file integrity: Identify which configuration files govern chlorine dosing, pump operation, and pressure settings, and implement monitoring or integrity checks that alert on unexpected modifications.
- Review OT protocol exposure: Assess whether Modbus, DNP3, or S7comm services are exposed on local subnets and verify that only authorized devices can communicate with industrial control systems.
For more news about malicious code, implants, and evolving attacker tradecraft, click Malware to read more.