ZionSiphon malware that could sabotage water treatment plants by manipulating chlorine and pressure on reverse osmosis equipment

Security researchers have placed under the focus a new malware specifically designed to attack operational technology (OT) systems in water treatment and desalination plants. The finding, published by the Darktrace cybersecurity firm, describes a code with clear sabotage intentions: to manipulate critical parameters - such as chlorine dosing and pressure on reverse osmosis equipment - with the potential to cause physical damage and affect the quality of supply. Although the sample analysed cannot be activated in its current form, experts warn that fixing a small logical error would be sufficient to transform that threat into an operational and dangerous tool. More technical details and complete analysis are available in Darktrace's report: Inside ZionSiphon - Darktrace.

The program, named as ZionSiphon by the discoverers, incorporates several checks designed to ensure that it is executed only on specific objectives. Before acting, check the IP address of the equipment against geographical ranges and explore whether the system contains software or files associated with treatment or desalination plants. If detected, it has the ability to modify configuration files related to chlorine control and pumps, forcing extreme dose values, valve opening and pressure in treatment units. In the report, Darktrace documents the routine responsible for these changes and the set of parameters that malware tries to impose.

The intention to interact with industrial controllers is clear: the code scans the local subnetwork for common protocols in industrial environments, such as Modbus, DNP3 and S7comm. However, development is incomplete: Modbus's functionality is partial, while for DCP3 and S7comm there are position markers, suggesting that this is an early stage of development and that authors could expand their capacities later on. In addition, ZionSiphon incorporates a USB propagation mechanism that copies the executable to removable units under a name that mimics a legitimate process and generates malicious direct access to facilitate its execution by being pressed.

A curious and critical aspect of the technical analysis is that the country verification logic contains a failure in the XOR operation used to compare values. As a result, that check fails and malware activates a self-destruction routine rather than running its harmful load. This means that, for now, the threat is not operational, but the correction of that error by its creators could make it a real vector against water facilities.. Darktrace also highlights the presence in the code of chains with political messages and a list of objectives that point to an infrastructure orientation in Israel.

The possible handling of parameters such as chlorine dose and pump pressures is not a purely theoretical matter: in water systems, sudden changes in dosing or pressure can lead to overheating, with public health implications and equipment corrosion, to mechanical failures in membranes and pumps that compromise service continuity. Therefore, the mere possibility of a malicious actor automating these modifications using local access to industrial control systems is alarming.

Incidents directed against industrial systems are not unpublished: attacks such as Stuxnet have demonstrated years ago that software can cause physical effects on infrastructure. Today, those responsible for operations and safety of water facilities must consider both the known threats and the potential of new tools adapted to the OT environment. To document techniques and tactics applicable to industrial environments, the MITRE ATT & CK framework for ICS is a useful resource: MITRE ATT & CK - ICS.

What practical measures should be strengthened in response to such a discovery? First, policies on removable media must be strict: USB propagation remains an effective way to draw out physically isolated networks. Control and record the use of units, apply white lists of applications, and maintain file verification processes at end points OT are key steps. It is also essential to monitor the integrity of critical configuration files and to set alerts to unexpected modifications, in addition to segmenting the OT networks to minimize the impact of a compromised equipment. For sectoral guidance and specific resources, the US Infrastructure Security Agency. UU provides documentation on water and sewerage safety: CISA - Water and Wastewater Systems, and information exchange organizations such as WaterISAC can be channels for receiving relevant notices: WaterISAC.

From the point of view of technical surveillance, it is appropriate to inspect traffic Modbus / DNP3 and other industrial protocols in search of anomalies, to apply detection of BT-oriented intrusions and to review access controls to consoles and servers that manage the configurations. Keeping offline backup of configurations and recovery procedures also reduces the exposure window in case of malicious handling. For equipment combining IT and OT functions, threat detection and response solutions in endpoints should be complemented by specific tools for industrial environments.

The case of ZionSiphon is a reminder that attackers adapt their tools to the operational domain: it is not just about encryption servers or stealing data, but about changing physical parameters that can affect public safety and health. Right now the sample analyzed does not run the destructive load by a validation error, but there is no guarantee that future versions will not remove that obstacle. Keeping informed, applying good cyberhygiene practices in OT and strengthening controls on removable means and critical configurations is the most practical way to reduce risk.

To read the technical analysis and context of the discovery, see the Darktrace report: Inside ZionSiphon - Darktrace and for guides and operational resources on water infrastructure protection, visit the CISA section dedicated to the sector: CISA - Water and Wastewater Systems.