Cybersecurity firm Darktrace has disclosed a new malware strain, named ZionSiphon, that was built to target operational technology systems used in water treatment and desalination facilities in Israel, raising concerns about attempts to interfere with vital public infrastructure rather than simply steal data. The report said the malware sample, though unfinished, was designed to identify industrial control system settings used in water plants and to manipulate functions such as chlorine levels and water pressure.
How the Malware Establishes Itself
The malware is designed to check whether it has administrative rights on an infected device through a function called RunAsAdmin(). It then attempts to remain hidden by placing a copy of itself on the system under the false name svchost.exe, making it resemble a normal Windows process.
Darktrace said the code also creates a registry key named SystemHealthCheck to maintain persistence on the infected host. Researchers said the malware uses a removable-media propagation mechanism, allowing it to spread through USB devices by copying itself onto thumb drives inserted into an infected computer.
FCRF Returns With CDPO, Its Premier Data Protection Certification for Privacy Professionals
Methods Used to Reach Industrial Systems
The report said ZionSiphon also conceals real files and replaces them with fake shortcuts generated through a tool called CreateUSBShortcut(). A user opening what appears to be a normal file may instead trigger the malware payload.
Further examination found that the malware searches for industrial control system protocols including Modbus, DNP3 and S7comm. It also scans for configuration files such as DesalConfig.ini and ChlorineControl.dat. To identify intended targets, the malware contains a list of specific Israeli plant locations, including Sorek, Hadera, Ashdod, Shafdan and Palmachim.
Messages in Code Raise Political Concerns
Researchers said hidden messages embedded in the code expressed support for Iran, Yemen and Palestine. One note referred to “Poisoning the population of Tel Aviv and Haifa,” although the report said the code was not actually capable of carrying out that action. The actors behind the malware identified themselves as 0xICS and also mentioned Dimona, a city known for its nuclear research centre.
Darktrace said the malware contained several mistakes that made it easier for researchers to detect. It includes a SelfDestruct() feature intended to run if the malware is not on a system located in Israel, but a coding error can cause it to misidentify the location and delete itself unintentionally. The malware also creates a file named delete.bat in an effort to remove its traces.
