ZionSiphon malware designed to sabotage water treatment systems
Source: Bleeping Computer
A new malware called ZionSiphon, specifically designed for operational technology, is targeting water treatment and desalination environments to sabotage their operations. Researchers found that the threat can adjust hydraulic pressures and raise chlorine levels to dangerous levels.
Targeting Logic
- The malware checks whether the host IP falls within Israeli ranges.
- It verifies the presence of water/OT‑related software or files to ensure it is running in a water treatment or desalination system.
Note: Darktrace discovered a flawed encryption logic error in the malware’s validation mechanism. The XOR mismatch causes the country‑verification step to fail, triggering a self‑destruct routine instead of executing the payload.
Technical Details
Payload Functions
The primary destructive function is IncreaseChlorineLevel(). It appends a fixed block of text to configuration files associated with desalination, reverse osmosis, chlorine control, and water‑treatment OT/ICS.
Appended configuration entries:
Chlorine_Dose=10
Chlorine_Pump=ON
Chlorine_Flow=MAX
Chlorine_Valve=OPEN
RO_Pressure=80The function stops after modifying the first matching file it finds.
Communication Protocol Scanning
ZionSiphon scans the local subnet for industrial control protocols:
- Modbus – partially functional code detected.
- DNP3 – placeholder code only.
- S7comm – placeholder code only.
These findings suggest the malware is still in an early development phase.
USB Propagation
The malware can copy itself to removable drives as a hidden svchost.exe process and creates malicious shortcut files that execute the payload when clicked.
Creating shortcuts on removable drives – Source: Darktrace
USB propagation is significant for critical infrastructure, where many control systems are “air‑gapped” (not directly connected to the internet).
Impact Assessment
While ZionSiphon is currently non‑functional due to the validation error, fixing this minor issue would enable it to:
- Increase chlorine concentrations to hazardous levels.
- Maximize hydraulic pressure within the plant’s mechanical limits.
- Potentially disrupt water treatment and desalination processes.
References
- Darktrace analysis: “Inside ZionSiphon – Darktrace’s analysis of OT malware targeting Israeli water systems.”