Darktrace researchers have published a teardown of ZionSiphon, a purpose-built operational technology (OT) malware family engineered to sabotage Israeli water treatment and seawater desalination facilities. The sample is currently non-functional due to a validation/encryption logic bug, but the design intent — manipulating chlorine dosing and hydraulic pressure at national-scale water infrastructure — puts it squarely in the lineage of OT weapons like Stuxnet, Industroyer, and Incontroller.

What the sample does

ZionSiphon is a Windows implant with four distinct behavioral blocks stitched together:

  • Environment gating. On execution it checks the host’s external IP against hardcoded Israeli ASN/IP ranges and hunts the filesystem for water-OT artifacts (configuration files such as DesalConfig.ini and ChlorineControl.dat, along with plant name strings). If the host fails either check, the payload exits silently.
  • Target list. Hardcoded facility names include Mekorot (Israel’s national water carrier) and the Sorek, Hadera, Ashdod, Shafdan, and Palmachim desalination and treatment plants — effectively a who’s-who of Israel’s potable water and brine-management infrastructure.
  • ICS reconnaissance. The implant scans the local network for Modbus TCP (502), DNP3 (20000), and Siemens S7comm (102) endpoints, enumerating PLCs and HMIs before attempting to write commands. The protocol stacks are only partially implemented, which is one of the reasons the current sample stops short of real damage.
  • Sabotage payload. A function explicitly named IncreaseChlorineLevel() is designed to push chlorine dosing setpoints to their maximum and drive pump pressure to unsafe values. In a working deployment, this would produce water unsafe to drink and mechanical stress across distribution loops.

Propagation and persistence

ZionSiphon carries a classic USB worm stage. On any removable drive attached to an infected host, it copies itself as a hidden svchost.exe in a concealed directory and uses a helper routine (CreateUSBShortcut()) to replace real files with .lnk shortcuts that execute the implant when a user double-clicks what looks like their own document. That design is deliberate: air-gapped OT environments are routinely bridged by engineer laptops and contractor thumb drives.

Attribution signals

Darktrace found unobfuscated strings inside the binary expressing support for Iran, Yemen, and Palestine, along with a line referencing “poisoning the population of Tel Aviv and Haifa.” No infrastructure overlap with known Iranian OT actors (CyberAv3ngers, Homeland Justice) has been publicly confirmed yet, but the targeting, rhetoric, and timing fit the post-October-2023 pattern of politically motivated sabotage attempts against Israeli utilities.

Why it matters even though it’s broken

The current ZionSiphon sample is neutered by a flawed validation routine — effectively a mis-implemented decryption check that prevents the sabotage module from unlocking. Fixing it is a one-line change. Treat this release as v0.x of a weapon, not as a curiosity. The ICS protocol stubs, the target list, the USB spreader, and the chlorine/pressure logic are all sitting in the repo waiting for a competent maintainer.

What to do right now

  • Hunt for the USB staging pattern. Look for hidden svchost.exe binaries on removable media and .lnk files that execute binaries from hidden folders on the same volume.
  • Alert on unexpected Modbus/DNP3/S7comm scans from Windows endpoints. Engineer workstations should never be enumerating PLCs horizontally.
  • Review HMI write protections. Chlorine dosing and pressure setpoints should require out-of-band confirmation, not a single writable register.
  • Audit USB policy on OT-adjacent laptops (vendor techs, control room workstations, historian boxes). Most water utilities still allow removable media for patch drops.
  • Segment the water-OT network from corporate IT and internet-facing jump hosts. ZionSiphon needs a bridgehead on a Windows host that can route to the PLC VLAN.

Darktrace’s writeup — Inside ZionSiphon — has the full indicator list. If you run water, wastewater, or desalination OT anywhere in the region, this is the week to pull logs from every USB-exposed engineering workstation and see who’s been looking at .ini files named after your SCADA config.