New ZionSiphon Malware Discovered Targeting Israeli Water Systems

Summary

Darktrace researchers identified ZionSiphon, a newly discovered malware specifically designed to target Israeli water treatment and desalination plants by manipulating ICS protocols like Modbus, DNP3, and S7comm. The malware spreads via USB, masquerades as legitimate Windows processes, and includes hardcoded references to specific Israeli facilities (Sorek, Hadera, Ashdod, Shafdan, Palmachim). Code analysis reveals political messaging supporting Iran, Yemen, and Palestine, with the threat actor identifying as 0xICS, though the malware contains implementation errors that could cause self-deletion outside Israel.

Full text

Security MalwareNew ZionSiphon Malware Discovered Targeting Israeli Water SystemsbyDeeba AhmedApril 17, 20262 minute read Researchers at Darktrace have identified ZionSiphon, a new malware targeting Israeli water treatment plants. Learn how this OT-focused attack uses ICS protocols like Modbus and S7comm to target critical infrastructure. Cybersecurity firm Darktrace has released a report on a new strain of malware named ZionSiphon created specifically to target Operational Technology (OT) systems that manage water treatment and desalination in Israel. For your information, desalination is a process of converting salt water into drinking water, and this makes it a vital service for the region. According to Darktrace’s report shared with Hackread.com, this malware sample, though unfinished, was built to find specific Industrial Control System (ICS) settings used in water plants. This means the threat actors wanted to change things like chlorine levels and water pressure with the intent to cause real-world damage rather than merely stealing data. How the Attack Works ZionSiphon is a sneaky malware that checks if it has administrative rights on the device right after infection using a function called RunAsAdmin(). It manages to remain undetected on the system by hiding a copy of itself and using a fake name, svchost.exe, which makes it look like a normal Windows process. It even creates a registry key named SystemHealthCheck to ensure persistence on the infected host. Darktrace’s report noted that this malware is different because it can spread via USB sticks through a removable-media propagation mechanism. Therefore, if someone plugs a thumb drive into an infected computer, ZionSiphon copies itself onto that drive almost immediately. It even hides the real files and makes fake shortcuts using a tool called CreateUSBShortcut(). The unsuspecting user may click it, thinking it is a normal file, but they will actually execute the malware payload. Further probing revealed that ZionSiphon searches for industrial control system protocols such as Modbus, DNP3, and S7comm. It also looks for configuration files like DesalConfig.ini and ChlorineControl.dat. Image credit: Darktrace To identify targets, the malware includes a list of specific Israeli plant locations, including: Sorek Hadera Ashdod Shafdan Palmachim Political Links The researchers found hidden messages inside the code expressing support for Iran, Yemen, and Palestine. Such as, one note mentioned “Poisoning the population of Tel Aviv and Haifa,” though the code was not actually able to perform this action. The actors, who identified themselves as 0xICS, also mentioned Dimona, a city known for its nuclear research centre. Even though the intent was clear, the attackers made several mistakes that researchers quickly identified. The malware includes a SelfDestruct() feature designed to run if it is not on a system located in Israel, but a coding error can cause it to misidentify the location and delete itself unintentionally. It also creates a file named delete.bat to remove its own traces. This research highlights that even buggy malware can be a major threat to the safety of ICS, and this makes critical infrastructure like water and power systems even more important to monitor. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts Cyber AttackCybersecurityIranIsraelMalwareOTPalestineWaterZionSiphon Leave a Reply Cancel reply View Comments (0) Related Posts Security Privacy Security Flaw Allowed Hackers to Compromise WhatsApp, Telegram Accounts CheckPoint, an Israeli security firm, unveiled this Wednesday a security flaw in encrypted messages that could affect the web… byCarolina Security Apple News Cyber Crime Malware OSX/Dok malware hits Macs; bypasses Apple’ Gatekeeper IT security researchers at Checkpoint recently discovered that a new malware has started to rise and is targeting… byJahanzaib Hassan Read More Security Scams and Fraud Memcyco Report: Just 6% of Brands Guard Against Digital Impersonation Fraud Memcyco Inc., a provider of digital trust technology designed to protect companies and their customers from digital impersonation… byWaqas News Cyber Attacks Cyber Events Security World’s Leading Copper Producer Aurubis Suffers Crippling Cyberattack According to a statement from the Germany-based Aurubis, the attack was detected on the night of October 28th. byDeeba Ahmed

Indicators of Compromise

• malware — ZionSiphon
• malware — svchost.exe (fake)

Entities