ZionSiphon is a newly discovered OT-focused malware engineered to sabotage water treatment and desalination systems by manipulating hydraulic pressures and raising chlorine levels. Researchers at Darktrace found a flawed country-verification XOR logic that renders the current sample non-functional but warn that a minor fix could enable destructive actions and USB propagation targeting Israeli infrastructure. #ZionSiphon #Darktrace #Israel #Desalination
Keypoints
- ZionSiphon targets operational technology in water treatment and desalination environments.
- It includes a function that appends dangerous configuration entries to increase chlorine dose and maximize flow and pressure.
- The malware verifies host IP ranges and OT-related files, but a broken XOR-based country check currently causes a self-destruct instead of execution.
- Modbus support is partially implemented, other ICS protocol code is placeholder, and the sample features USB propagation via hidden svchost.exe copies and malicious shortcuts.
- Darktrace warns that fixing the minor validation bug could make ZionSiphon operational and capable of causing severe physical impact.