Cybersecurity experts at Darktrace have identified a newly developed, politically motivated malware known as ZionSiphon. Notably, attackers designed this sophisticated threat to infiltrate and disrupt Israel’s critical water infrastructure, including desalination and treatment facilities.
To begin with, ZionSiphon integrates multiple advanced capabilities. It actively combines privilege escalation, persistence mechanisms, and USB-based propagation to spread efficiently across systems. Moreover, it includes industrial control system (ICS) scanning functions, allowing it to locate and interact with operational technology environments. More alarmingly, the malware directly targets chlorine dosing systems and hydraulic pressure controls—two essential components in water safety and distribution.
In addition, researchers discovered that ZionSiphon is far from a generic cyber threat. Embedded deep within its code are Base64-encoded messages carrying strong political intent. One decoded message states: “In support of our brothers in Iran, Palestine, and Yemen against Zionist aggression. I am ‘0xICS’,” while another explicitly mentions “Poisoning the population of Tel Aviv and Haifa”. The attacker alias “0xICS” further highlights a deliberate focus on industrial control systems.
Furthermore, the malware clearly identifies its intended victims. It specifically targets Mekorot, along with major desalination facilities such as Sorek, Hadera, Ashdod, and Palmachim. It also includes the Shafdan wastewater treatment plant in its attack scope, indicating a well-researched and highly focused campaign.
To ensure precise execution, ZionSiphon employs a two-layer verification process. First, it checks whether the infected system’s IP address falls within predefined Israeli IPv4 ranges. Then, it performs a deeper environmental scan through a function called IsDamDesalinationPlant(). This function actively searches for process names like “DesalPLC,” “ROController,” and “ChlorineCtrl,” while also scanning for operational files such as C:\DesalConfig.ini and C:\ChlorineControl.dat. Only when both conditions align does the malware proceed to activate its payload.
However, despite its advanced design, the current version contains a critical flaw. Specifically, an XOR key mismatch within its country-validation logic prevents proper execution. As a result, the IsTargetCountry() function fails to validate the target, causing the malware to trigger its self-destruct mechanism instead. During this process, it removes persistence keys, logs the message “Target not matched. Operation restricted to IL ranges. Self-destruct initiated.”, and deletes itself entirely.
Even so, researchers warn against underestimating this threat. According to Darktrace, this version may represent a development build, an early deployment sample, or even a controlled test variant. Importantly, the malware’s architecture remains fully functional, and attackers could easily fix the flaw with minimal code adjustments.
Ultimately, ZionSiphon signals a concerning evolution in cyberattacks targeting operational technology. Therefore, organizations managing water systems and industrial environments must strengthen their defenses. Experts strongly recommend enhancing IT-OT visibility, monitoring ICS network activity, and deploying rapid threat detection mechanisms to mitigate emerging risks before they escalate into full-scale attacks.
Recommended Cyber Technology News:
- Guardsquare to Address Rising Piracy Threats in Mobile Streaming Apps
- Forescout Flags OT, Healthcare Cybersecurity Risk
- Aikido Launches Endpoint Security to Protect Developer Devices
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
