ZionSiphon Malware Threatens Water Treatment Systems
ZionSiphon Malware Threatens Water Treatment Systems 🚨
A new malware called ZionSiphon, specifically designed for operational technology, is targeting water treatment and desalination environments to sabotage their operations. The threat can adjust hydraulic pressures and raise chlorine levels to dangerous heights, as researchers discovered during their analysis.
Based on its IP targeting and political messages embedded in its strings, ZionSiphon appears to focus on targets based in Israel. Researchers at the AI-powered cybersecurity company Darktrace found a flawed encryption logic error in the malware’s validation mechanism that makes it non-functional. However, they warn that future releases of ZionSiphon could fix this flaw and unleash its potential for attacks.
Upon deployment, the malware checks whether the host IP falls within Israeli ranges and whether the system contains water/OT-related software or files, ensuring it is running in water treatment or desalination systems. Darktrace notes that the logic for country verification is broken due to an XOR mismatch, causing the targeting to fail and triggering a self-destruct mechanism instead of executing the payload.
If ZionSiphon were to activate, it could cause significant damage by increasing chlorine levels and maximizing pressure. It does this via a function named IncreaseChlorineLevel(), which appends a text block to existing configuration files to maximize the chlorine dose and flow as much as physically supported by the plant’s mechanical systems. According to Darktrace, IncreaseChlorineLevel() checks a hardcoded list of configuration files associated with desalination, reverse osmosis, chlorine control, and water treatment OT/Industrial Control Systems (ICS). As soon as it finds any of these files present, it appends a fixed block of text to it and returns immediately.
The appended block of text contains the following entries:
- Chlorine_Dose=10
- Chlorine_Pump=ON
- Chlorine_Flow=MAX
- Chlorine_Valve=OPEN
- RO_Pressure=80
The intention to interact with industrial control systems (ICS) is clear from scanning the local subnet for the Modbus, DNP3, and S7comm communication protocols. However, Darktrace has found only partially functional code for Modbus and merely placeholders for the other two, indicating that the malware is still in an early development phase.
ZionSiphon also has a USB propagation mechanism that copies itself to removable drives as a hidden svchost.exe process and creates malicious shortcut files that execute the malware when clicked. USB propagation is crucial in critical infrastructure systems, where computers managing security-critical functions are often “air-gapped,” meaning they are not directly connected to the internet.
While ZionSiphon isn’t operational in its current version, its intent and potential for damage are concerning. All that’s needed to unlock both is to fix a minor verification error.