Researchers at Darktrace have identified ZionSiphon, a new malware targeting Israeli water treatment plants. Learn how this OT-focused attack uses ICS protocols like Modbus and S7comm to target critical infrastructure.
Cybersecurity firm Darktrace has released a report on a new strain of malware named ZionSiphon created specifically to target Operational Technology (OT) systems that manage water treatment and desalination in Israel. For your information, desalination is a process of converting salt water into drinking water, and this makes it a vital service for the region.
According to Darktrace’s report shared with Hackread.com, this malware sample, though unfinished, was built to find specific Industrial Control System (ICS) settings used in water plants. This means the threat actors wanted to change things like chlorine levels and water pressure with the intent to cause real-world damage rather than merely stealing data.
How the Attack Works
ZionSiphon is a sneaky malware that checks if it has administrative rights on the device right after infection using a function called RunAsAdmin(). It manages to remain undetected on the system by hiding a copy of itself and using a fake name, svchost.exe, which makes it look like a normal Windows process. It even creates a registry key named SystemHealthCheck to ensure persistence on the infected host.
Darktrace’s report noted that this malware is different because it can spread via USB sticks through a removable-media propagation mechanism. Therefore, if someone plugs a thumb drive into an infected computer, ZionSiphon copies itself onto that drive almost immediately.
It even hides the real files and makes fake shortcuts using a tool called CreateUSBShortcut(). The unsuspecting user may click it, thinking it is a normal file, but they will actually execute the malware payload.
Further probing revealed that ZionSiphon searches for industrial control system protocols such as Modbus, DNP3, and S7comm. It also looks for configuration files like DesalConfig.ini and ChlorineControl.dat.
To identify targets, the malware includes a list of specific Israeli plant locations, including:
- Sorek
- Hadera
- Ashdod
- Shafdan
- Palmachim
Political Links
The researchers found hidden messages inside the code expressing support for Iran, Yemen, and Palestine. Such as, one note mentioned “Poisoning the population of Tel Aviv and Haifa,” though the code was not actually able to perform this action. The actors, who identified themselves as 0xICS, also mentioned Dimona, a city known for its nuclear research centre.
Even though the intent was clear, the attackers made several mistakes that researchers quickly identified. The malware includes a SelfDestruct() feature designed to run if it is not on a system located in Israel, but a coding error can cause it to misidentify the location and delete itself unintentionally. It also creates a file named delete.bat to remove its own traces.
This research highlights that even buggy malware can be a major threat to the safety of ICS, and this makes critical infrastructure like water and power systems even more important to monitor.
