Full Report
Cybersecurity researchers have flagged a new malware called ZionSiphon that appears to be specifically designed to target Israeli water treatment and desalination systems. The malware has been codenamed ZionSiphon by Darktrace, highlighting its ability to set up persistence, tamper with local configuration files, and scan for operational technology (OT)-relevant services on the local subnet.
Analysis Summary
# Tool/Technique: ZionSiphon
## Overview
ZionSiphon is a specialized malware family currently in development, specifically engineered to target Industrial Control Systems (ICS) and Operational Technology (OT) within the Israeli water treatment and desalination sectors. Identified by Darktrace, the malware is designed to identify specific geographic and environmental conditions before activating its sabotage routines, which target critical infrastructure parameters such as chlorine levels and water pressure.
## Technical Details
- **Type:** Malware (ICS/OT Sabotage)
- **Platform:** Windows (implied by registry/file persistence), targeting OT protocols (Modbus, DNP3, S7comm)
- **Capabilities:** Geographic fencing, environment-specific targeting, OT service scanning, protocol-specific manipulation, USB propagation, and self-destruction.
- **First Seen:** June 29, 2025
## MITRE ATT&CK Mapping
- **[TA0108 - Persistence]**
- [T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder]
- **[TA0007 - Discovery]**
- [T1046 - Network Service Scanning]
- [T1120 - Peripheral Device Discovery]
- **[TA0009 - Collection]**
- [T1119 - Automated Collection]
- **[TA0011 - Command and Control]**
- [T1071.001 - Application Layer Protocol: Web Protocols]
- **[TA0800 - Impact (ICS)]**
- [T0831 - Manipulation of Control Logic]
- [T0836 - Modify Parameter]
- **[TA0801 - Lateral Movement (ICS)]**
- [T0847 - Replication Through Removable Media]
## Functionality
### Core Capabilities
- **Geographic Fencing:** Restricts execution to specific Israeli IPv4 ranges:
- 2.52.0[.]0 - 2.55.255[.]255
- 79.176.0[.]0 - 79.191.255[.]255
- 212.150.0[.]0 - 212.150.255[.]255
- **Environmental Checks:** Scans for strings and local configurations specifically associated with desalination and water treatment facilities.
- **OT Discovery:** Scans the local subnet for services communicating via Modbus, DNP3, and S7comm protocols.
- **Self-Destruction:** Initiates a deletion sequence if the host does not meet the specified geographic or environmental criteria.
### Advanced Features
- **Multi-Protocol Sabotage:** Includes specialized logic to tamper with Modbus registers (the most developed module) and DNP3/S7comm to alter chlorine dosage and pressure settings.
- **USB Propagation:** Capable of spreading via removable media to jump "air-gapped" or isolated segments of OT networks.
- **Privilege Escalation:** Includes built-in routines to gain administrative control on the host.
## Indicators of Compromise
- **File Hashes (SHA256):** 07c3bbe60d47240df7152f72beb98ea373d9600946860bad12f7bc617a5d6f5f
- **File Names:** [Not specified in article]
- **Registry Keys:** Modifies local configuration files and sets up persistence (specific keys not provided).
- **Network Indicators:** Targeted IP ranges (2.52.0[.]0 - 2.55.255[.]255; 79.176.0[.]0 - 79.191.255[.]255; 212.150.0[.]0 - 212.150.255[.]255).
- **Behavioral Indicators:** Automated subnet scanning for ports 502 (Modbus), 20000 (DNP3), and 102 (S7comm); unauthorized modification of industrial configuration files.
## Associated Threat Actors
- Unknown (Attributed to a politically motivated actor aligned with interests in Iran, Palestine, and Yemen based on embedded political strings).
## Detection Methods
- **Behavioral Detection:** Monitoring for atypical network scanning on OT-specific ports (502, 102, 20000) originating from non-engineering workstations.
- **Integrity Monitoring:** Detecting unauthorized changes to local industrial configuration files and parameters.
## Mitigation Strategies
- **Network Segmentation:** Implement strict "conduits and zones" (ISA/IEC 62443) to isolate OT networks from IT networks and the internet.
- **Disable Removable Media:** Restrict or disable the use of USB drives on critical OT assets to prevent propagation.
- **Hardening:** Implement least-privilege access and disable unnecessary services on Windows-based Human Machine Interfaces (HMIs) and Engineering Workstations.
## Related Tools/Techniques
- **RoadK1ll:** A Node.js-based reverse tunneling implant often discovered in similar contexts for maintaining persistent access and pivoting.
- **Stuxnet/Industroyer:** While ZionSiphon is less mature, it shares the "sabotage-via-protocol" DNA of earlier ICS-targeting malware.