{"id":12188,"date":"2026-04-17T10:03:42","date_gmt":"2026-04-17T10:03:42","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/04\/17\/hackers-target-israeli-desalination-plants-with-zionsiphon-sabotage-malware\/"},"modified":"2026-04-17T10:03:42","modified_gmt":"2026-04-17T10:03:42","slug":"hackers-target-israeli-desalination-plants-with-zionsiphon-sabotage-malware","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/04\/17\/hackers-target-israeli-desalination-plants-with-zionsiphon-sabotage-malware\/","title":{"rendered":"Hackers Target Israeli Desalination Plants With ZionSiphon Sabotage Malware"},"content":{"rendered":"<p>    Hackers Target Israeli Desalination Plants With ZionSiphon Sabotage Malware<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A newly discovered piece of malware called ZionSiphon has raised serious concerns about the security of critical water infrastructure in Israel. <\/p>\n<p>The malware was built with a clear focus: to infiltrate and potentially sabotage Israeli water treatment and desalination systems, the very facilities responsible for providing clean drinking water to millions of people.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/db3d9922-458e-4500-aa93-804c7f028d51\/Hackers-Target-Israeli-Desalination-Plants-With-ZionSiphon-Sabotage-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYESDOQXVNR&amp;Signature=Jj8BnDGCK%2BVIQeFDJPqZT2bJ7rQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAYaCXVzLWVhc3QtMSJGMEQCIDyAcNkV%2F9Tz8Ye2yJDWA0u22Q2POlv3Z1QkezMKQ6QLAiBsoV0NKcopOyX1w%2FXO7CCDNIky4IgZtMpZf7vnKpACTir8BAjP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMWP%2B5Kd1JZowgk9qvKtAEQoJ9z%2F4dF0visV65Zdodu%2Fc8m3Wkn3K%2FXyMspkU3DRpiZqLaSy5SQ8D8f6%2B9v1uDfsjwt%2B3dOjqXTeq7BqbQ14erZpHUQuqIgQT7pgOoXpmfxC%2FFg1CiV5FKPOd9Z7TkQxOwEhPF9kdG2HdazmpdvKUkNQ5DTD2SPo9n82TrUlMjSHqkbICBSqm5EjV6VvN19jx7Y1qFWuc4xKG2V8yG9S7ftq5CcLuGbZTKO2rafXqKh4eTc237k1fyIp5UC3y305XZSOuWjoarqBBI%2FdxITTsxNWovb1NmSiMfYcthvQmIQuqyDKh1w4JSGVfqtFTGjnI9W8QBkvg48uvUckyVtEUSYJLzFHHrOYG1oJffIg81uM8fU5LP3Hr%2BIlS5bm54DIZfWtDIBtrFklI38mBvL6zTBOdTA8ZPj0aiAjz6MBwc6xt20v2LslrC%2FzbZUh8nZt8Y3yLqg%2F9ZO9NX%2FHS0WEL1yUh6o4kt8p4F0mZZLpxSEeGj06RADRFi%2Flk0U2TQRZHayq8FI6mQaeBLGcqOLWMVB%2BbymL9622SxNt%2BuGmcJOT0GCbGbrrw8WkokzDG6J4wXwy1hxatoCZj3SUCgwPA4WRFBnwOkOxsHbdPEmO2qZRdmMgcpL44k3igIm7M46hJsAFlxrBFDfrrQuhD9pFbMpxZ46CeikWPZ5RPbGOtLLSdNNJzvvVjm%2BR4%2F58KdGOQ3rYSyz2SbE%2B09sK1S4P6SXLZImmx8Ms61R1IR57Z5GYNf9%2BxWq5Emb2uoUIyhJTTKrXSHKMJjqj%2FZhOY1WDDdmYfPBjqZAUnMAprLr4mKsF2YzclMfiZscaR%2BvV%2F0k%2FuRjaEm94dlSH2XyLE74bVNzAc44cEccanbBTqFa3P0iFahS5vtoaPgdqjuj6cW7hFJuHw6GX%2FZ1WgEegmMlKh3b7NaBs4%2BkNqo8dGMNdnV6xr1mXT8MLXcjPkSJqoUmZ8TQE7jb%2FniEQTUcgE4b%2FK4QM3%2BVT6vtkPC95k%2FGTGm8w%3D%3D&amp;Expires=1776406576\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>ZionSiphon is not a random piece of software. It carries hardcoded Israeli IP address ranges, meaning it is designed to run only on systems located within Israel. <\/p>\n<p>The malware includes geographically restricted execution logic targeting IP blocks tied to Israeli networks, along with politically motivated messages embedded in its code. <\/p>\n<p>One decoded string reads, \u201cIn support of our brothers in Iran, Palestine, and Yemen against Zionist aggression. I am 0xICS.\u201d <\/p>\n<p>Another decoded message references \u201cPoisoning the population of Tel Aviv and Haifa,\u201d pointing to a threat actor with clear ideological intent and a desire to cause real physical harm.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/db3d9922-458e-4500-aa93-804c7f028d51\/Hackers-Target-Israeli-Desalination-Plants-With-ZionSiphon-Sabotage-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYESDOQXVNR&amp;Signature=Jj8BnDGCK%2BVIQeFDJPqZT2bJ7rQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAYaCXVzLWVhc3QtMSJGMEQCIDyAcNkV%2F9Tz8Ye2yJDWA0u22Q2POlv3Z1QkezMKQ6QLAiBsoV0NKcopOyX1w%2FXO7CCDNIky4IgZtMpZf7vnKpACTir8BAjP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMWP%2B5Kd1JZowgk9qvKtAEQoJ9z%2F4dF0visV65Zdodu%2Fc8m3Wkn3K%2FXyMspkU3DRpiZqLaSy5SQ8D8f6%2B9v1uDfsjwt%2B3dOjqXTeq7BqbQ14erZpHUQuqIgQT7pgOoXpmfxC%2FFg1CiV5FKPOd9Z7TkQxOwEhPF9kdG2HdazmpdvKUkNQ5DTD2SPo9n82TrUlMjSHqkbICBSqm5EjV6VvN19jx7Y1qFWuc4xKG2V8yG9S7ftq5CcLuGbZTKO2rafXqKh4eTc237k1fyIp5UC3y305XZSOuWjoarqBBI%2FdxITTsxNWovb1NmSiMfYcthvQmIQuqyDKh1w4JSGVfqtFTGjnI9W8QBkvg48uvUckyVtEUSYJLzFHHrOYG1oJffIg81uM8fU5LP3Hr%2BIlS5bm54DIZfWtDIBtrFklI38mBvL6zTBOdTA8ZPj0aiAjz6MBwc6xt20v2LslrC%2FzbZUh8nZt8Y3yLqg%2F9ZO9NX%2FHS0WEL1yUh6o4kt8p4F0mZZLpxSEeGj06RADRFi%2Flk0U2TQRZHayq8FI6mQaeBLGcqOLWMVB%2BbymL9622SxNt%2BuGmcJOT0GCbGbrrw8WkokzDG6J4wXwy1hxatoCZj3SUCgwPA4WRFBnwOkOxsHbdPEmO2qZRdmMgcpL44k3igIm7M46hJsAFlxrBFDfrrQuhD9pFbMpxZ46CeikWPZ5RPbGOtLLSdNNJzvvVjm%2BR4%2F58KdGOQ3rYSyz2SbE%2B09sK1S4P6SXLZImmx8Ms61R1IR57Z5GYNf9%2BxWq5Emb2uoUIyhJTTKrXSHKMJjqj%2FZhOY1WDDdmYfPBjqZAUnMAprLr4mKsF2YzclMfiZscaR%2BvV%2F0k%2FuRjaEm94dlSH2XyLE74bVNzAc44cEccanbBTqFa3P0iFahS5vtoaPgdqjuj6cW7hFJuHw6GX%2FZ1WgEegmMlKh3b7NaBs4%2BkNqo8dGMNdnV6xr1mXT8MLXcjPkSJqoUmZ8TQE7jb%2FniEQTUcgE4b%2FK4QM3%2BVT6vtkPC95k%2FGTGm8w%3D%3D&amp;Expires=1776406576\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><a href=\"https:\/\/www.darktrace.com\/blog\/inside-zionsiphon-darktraces-analysis-of-ot-malware-targeting-israeli-water-systems\" id=\"https:\/\/www.darktrace.com\/blog\/inside-zionsiphon-darktraces-analysis-of-ot-malware-targeting-israeli-water-systems\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Darktrace analysts recently identified and examined the malware sample<\/a>, which self-identifies as ZionSiphon. <\/p>\n<p>Their investigation revealed that this tool combines several host-based capabilities, including privilege escalation, persistence mechanisms, USB-based propagation, and scanning for Operational Technology (OT)-relevant services on local networks. <\/p>\n<p>The Darktrace team noted that while many of these individual features are found in everyday <a href=\"https:\/\/cybersecuritynews.com\/threat-actors-using-stealerium-malware\/\" id=\"124814\" target=\"_blank\" rel=\"noreferrer noopener\">commodity malware<\/a>, the combination of politically charged messaging, Israel-specific targeting, and an explicit focus on desalination processes makes ZionSiphon stand out from generic opportunistic attacks.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/db3d9922-458e-4500-aa93-804c7f028d51\/Hackers-Target-Israeli-Desalination-Plants-With-ZionSiphon-Sabotage-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYESDOQXVNR&amp;Signature=Jj8BnDGCK%2BVIQeFDJPqZT2bJ7rQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAYaCXVzLWVhc3QtMSJGMEQCIDyAcNkV%2F9Tz8Ye2yJDWA0u22Q2POlv3Z1QkezMKQ6QLAiBsoV0NKcopOyX1w%2FXO7CCDNIky4IgZtMpZf7vnKpACTir8BAjP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMWP%2B5Kd1JZowgk9qvKtAEQoJ9z%2F4dF0visV65Zdodu%2Fc8m3Wkn3K%2FXyMspkU3DRpiZqLaSy5SQ8D8f6%2B9v1uDfsjwt%2B3dOjqXTeq7BqbQ14erZpHUQuqIgQT7pgOoXpmfxC%2FFg1CiV5FKPOd9Z7TkQxOwEhPF9kdG2HdazmpdvKUkNQ5DTD2SPo9n82TrUlMjSHqkbICBSqm5EjV6VvN19jx7Y1qFWuc4xKG2V8yG9S7ftq5CcLuGbZTKO2rafXqKh4eTc237k1fyIp5UC3y305XZSOuWjoarqBBI%2FdxITTsxNWovb1NmSiMfYcthvQmIQuqyDKh1w4JSGVfqtFTGjnI9W8QBkvg48uvUckyVtEUSYJLzFHHrOYG1oJffIg81uM8fU5LP3Hr%2BIlS5bm54DIZfWtDIBtrFklI38mBvL6zTBOdTA8ZPj0aiAjz6MBwc6xt20v2LslrC%2FzbZUh8nZt8Y3yLqg%2F9ZO9NX%2FHS0WEL1yUh6o4kt8p4F0mZZLpxSEeGj06RADRFi%2Flk0U2TQRZHayq8FI6mQaeBLGcqOLWMVB%2BbymL9622SxNt%2BuGmcJOT0GCbGbrrw8WkokzDG6J4wXwy1hxatoCZj3SUCgwPA4WRFBnwOkOxsHbdPEmO2qZRdmMgcpL44k3igIm7M46hJsAFlxrBFDfrrQuhD9pFbMpxZ46CeikWPZ5RPbGOtLLSdNNJzvvVjm%2BR4%2F58KdGOQ3rYSyz2SbE%2B09sK1S4P6SXLZImmx8Ms61R1IR57Z5GYNf9%2BxWq5Emb2uoUIyhJTTKrXSHKMJjqj%2FZhOY1WDDdmYfPBjqZAUnMAprLr4mKsF2YzclMfiZscaR%2BvV%2F0k%2FuRjaEm94dlSH2XyLE74bVNzAc44cEccanbBTqFa3P0iFahS5vtoaPgdqjuj6cW7hFJuHw6GX%2FZ1WgEegmMlKh3b7NaBs4%2BkNqo8dGMNdnV6xr1mXT8MLXcjPkSJqoUmZ8TQE7jb%2FniEQTUcgE4b%2FK4QM3%2BVT6vtkPC95k%2FGTGm8w%3D%3D&amp;Expires=1776406576\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The malware\u2019s target list includes the names of real Israeli water infrastructure entities. <\/p>\n<p>These include Mekorot, which is Israel\u2019s national water company, along with Sorek, Hadera, Ashdod, and Palmachim, which are four of the country\u2019s major seawater desalination plants. <\/p>\n<p>The Shafdan wastewater treatment facility is also listed. Each of these sites plays a critical role in Israel\u2019s national water supply, and their presence in the malware\u2019s targeting list confirms that the attacker understands the structure of the country\u2019s water sector.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/db3d9922-458e-4500-aa93-804c7f028d51\/Hackers-Target-Israeli-Desalination-Plants-With-ZionSiphon-Sabotage-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYESDOQXVNR&amp;Signature=Jj8BnDGCK%2BVIQeFDJPqZT2bJ7rQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAYaCXVzLWVhc3QtMSJGMEQCIDyAcNkV%2F9Tz8Ye2yJDWA0u22Q2POlv3Z1QkezMKQ6QLAiBsoV0NKcopOyX1w%2FXO7CCDNIky4IgZtMpZf7vnKpACTir8BAjP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMWP%2B5Kd1JZowgk9qvKtAEQoJ9z%2F4dF0visV65Zdodu%2Fc8m3Wkn3K%2FXyMspkU3DRpiZqLaSy5SQ8D8f6%2B9v1uDfsjwt%2B3dOjqXTeq7BqbQ14erZpHUQuqIgQT7pgOoXpmfxC%2FFg1CiV5FKPOd9Z7TkQxOwEhPF9kdG2HdazmpdvKUkNQ5DTD2SPo9n82TrUlMjSHqkbICBSqm5EjV6VvN19jx7Y1qFWuc4xKG2V8yG9S7ftq5CcLuGbZTKO2rafXqKh4eTc237k1fyIp5UC3y305XZSOuWjoarqBBI%2FdxITTsxNWovb1NmSiMfYcthvQmIQuqyDKh1w4JSGVfqtFTGjnI9W8QBkvg48uvUckyVtEUSYJLzFHHrOYG1oJffIg81uM8fU5LP3Hr%2BIlS5bm54DIZfWtDIBtrFklI38mBvL6zTBOdTA8ZPj0aiAjz6MBwc6xt20v2LslrC%2FzbZUh8nZt8Y3yLqg%2F9ZO9NX%2FHS0WEL1yUh6o4kt8p4F0mZZLpxSEeGj06RADRFi%2Flk0U2TQRZHayq8FI6mQaeBLGcqOLWMVB%2BbymL9622SxNt%2BuGmcJOT0GCbGbrrw8WkokzDG6J4wXwy1hxatoCZj3SUCgwPA4WRFBnwOkOxsHbdPEmO2qZRdmMgcpL44k3igIm7M46hJsAFlxrBFDfrrQuhD9pFbMpxZ46CeikWPZ5RPbGOtLLSdNNJzvvVjm%2BR4%2F58KdGOQ3rYSyz2SbE%2B09sK1S4P6SXLZImmx8Ms61R1IR57Z5GYNf9%2BxWq5Emb2uoUIyhJTTKrXSHKMJjqj%2FZhOY1WDDdmYfPBjqZAUnMAprLr4mKsF2YzclMfiZscaR%2BvV%2F0k%2FuRjaEm94dlSH2XyLE74bVNzAc44cEccanbBTqFa3P0iFahS5vtoaPgdqjuj6cW7hFJuHw6GX%2FZ1WgEegmMlKh3b7NaBs4%2BkNqo8dGMNdnV6xr1mXT8MLXcjPkSJqoUmZ8TQE7jb%2FniEQTUcgE4b%2FK4QM3%2BVT6vtkPC95k%2FGTGm8w%3D%3D&amp;Expires=1776406576\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The most alarming part of ZionSiphon is its sabotage logic. When the malware confirms it is running in a valid water treatment environment, it attempts to tamper with local configuration files by injecting values such as \u201cChlorine_Dose=10,\u201d \u201cChlorine_Pump=ON,\u201d \u201cChlorine_Flow=MAX,\u201d \u201cChlorine_Valve=OPEN,\u201d and \u201cRO_Pressure=80.\u201d <\/p>\n<p>These entries, if successfully written to active system configuration files, could manipulate chlorine dosing and pressure levels in ways that could make water unsafe for human consumption.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/db3d9922-458e-4500-aa93-804c7f028d51\/Hackers-Target-Israeli-Desalination-Plants-With-ZionSiphon-Sabotage-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYESDOQXVNR&amp;Signature=Jj8BnDGCK%2BVIQeFDJPqZT2bJ7rQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAYaCXVzLWVhc3QtMSJGMEQCIDyAcNkV%2F9Tz8Ye2yJDWA0u22Q2POlv3Z1QkezMKQ6QLAiBsoV0NKcopOyX1w%2FXO7CCDNIky4IgZtMpZf7vnKpACTir8BAjP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMWP%2B5Kd1JZowgk9qvKtAEQoJ9z%2F4dF0visV65Zdodu%2Fc8m3Wkn3K%2FXyMspkU3DRpiZqLaSy5SQ8D8f6%2B9v1uDfsjwt%2B3dOjqXTeq7BqbQ14erZpHUQuqIgQT7pgOoXpmfxC%2FFg1CiV5FKPOd9Z7TkQxOwEhPF9kdG2HdazmpdvKUkNQ5DTD2SPo9n82TrUlMjSHqkbICBSqm5EjV6VvN19jx7Y1qFWuc4xKG2V8yG9S7ftq5CcLuGbZTKO2rafXqKh4eTc237k1fyIp5UC3y305XZSOuWjoarqBBI%2FdxITTsxNWovb1NmSiMfYcthvQmIQuqyDKh1w4JSGVfqtFTGjnI9W8QBkvg48uvUckyVtEUSYJLzFHHrOYG1oJffIg81uM8fU5LP3Hr%2BIlS5bm54DIZfWtDIBtrFklI38mBvL6zTBOdTA8ZPj0aiAjz6MBwc6xt20v2LslrC%2FzbZUh8nZt8Y3yLqg%2F9ZO9NX%2FHS0WEL1yUh6o4kt8p4F0mZZLpxSEeGj06RADRFi%2Flk0U2TQRZHayq8FI6mQaeBLGcqOLWMVB%2BbymL9622SxNt%2BuGmcJOT0GCbGbrrw8WkokzDG6J4wXwy1hxatoCZj3SUCgwPA4WRFBnwOkOxsHbdPEmO2qZRdmMgcpL44k3igIm7M46hJsAFlxrBFDfrrQuhD9pFbMpxZ46CeikWPZ5RPbGOtLLSdNNJzvvVjm%2BR4%2F58KdGOQ3rYSyz2SbE%2B09sK1S4P6SXLZImmx8Ms61R1IR57Z5GYNf9%2BxWq5Emb2uoUIyhJTTKrXSHKMJjqj%2FZhOY1WDDdmYfPBjqZAUnMAprLr4mKsF2YzclMfiZscaR%2BvV%2F0k%2FuRjaEm94dlSH2XyLE74bVNzAc44cEccanbBTqFa3P0iFahS5vtoaPgdqjuj6cW7hFJuHw6GX%2FZ1WgEegmMlKh3b7NaBs4%2BkNqo8dGMNdnV6xr1mXT8MLXcjPkSJqoUmZ8TQE7jb%2FniEQTUcgE4b%2FK4QM3%2BVT6vtkPC95k%2FGTGm8w%3D%3D&amp;Expires=1776406576\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 class=\"wp-block-heading\" id=\"infection-mechanism-and-ot-protocol-targeting\"><strong>Infection Mechanism and OT Protocol Targeting<\/strong><\/h2>\n<p>Once ZionSiphon gains a foothold on a system, it begins a structured process of establishing itself quietly and scanning for industrial control devices. <\/p>\n<p>Its persistence routine copies the malware to a hidden location under the name \u201csvchost.exe,\u201d a legitimate Windows process name, and creates a registry entry called \u201cSystemHealthCheck\u201d pointing to that hidden copy. <\/p>\n<p>This technique helps the malware blend into ordinary Windows system activity and avoid drawing attention from users or basic <a href=\"https:\/\/cybersecuritynews.com\/postgresql-monitoring-tools\/\" id=\"37526\" target=\"_blank\" rel=\"noreferrer noopener\">monitoring tools<\/a>. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiQSkmww0SgEWwk0wBOcxh0piMOo_7FCefEx2ZQno-VZWau1ia1J0loIsFkrHdJny1HC1VHp7fBsVK5ZBK2mGJ79GBtgYE_bJ3VqgdEO1aSmfYiibM3xHTUjqf5f4J-Y9ki2Ye1DTVgcuLNxzNYVFBPzFRLgvEnpETzBHdxYNk1Cl8geMrRYptU4LaCVrg\/s16000\/Registry%2520key%2520creation%2520routine%2520%28Source%2520-%2520Darktrace%29.webp?ssl=1\" alt=\"Registry key creation routine (Source - Darktrace)\"><figcaption class=\"wp-element-caption\">Registry key creation routine (Source \u2013 Darktrace)<\/figcaption><\/figure>\n<\/div>\n<p>After persistence is set, ZionSiphon performs subnet-wide OT scanning, probing for devices listening on port 502 for Modbus, port 20000 for DNP3, and port 102 for S7comm. <\/p>\n<p>These are industrial communication protocols commonly used in water plants and other critical infrastructure environments. For each device that responds, the malware performs a second-stage validation step to confirm the protocol type before attempting to send commands. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhiDgLglOsrfqolCSWMIXRGEp8szW_cbigX3CYKRYrq6VpDLc7Sebv35k4kVQIBpBZpQUs38kSj0_gVyiSr5yb5kiCkTR3vyOsdOILxkt7mYtFnoj_k5SJcbP-Xvje3in1ysr5OTHwYawPG44khhJM3exRyaT686alWhaR-pq7jkgHzyQEWwGXjPoX4Suc\/s16000\/The%2520ICS%2520scanning%2520function%2520%28Source%2520-%2520Darktrace%29.webp?ssl=1\" alt=\"The ICS scanning function (Source - Darktrace)\" style=\"width:942px;height:auto\"><figcaption class=\"wp-element-caption\">The ICS scanning function (Source \u2013 Darktrace)<\/figcaption><\/figure>\n<\/div>\n<p>The most fully developed part of this scanning logic targets Modbus. The malware sends a \u201cRead Holding Registers\u201d request to connected devices and reads back register values. <\/p>\n<p>It then identifies a relevant register, such as one controlling chlorine dose, and issues a write command to change that value. <\/p>\n<p>If it cannot identify a suitable register through dynamic scanning, it falls back to hardcoded Modbus write frames to ensure that a write attempt is made regardless. <\/p>\n<p>This fallback behavior suggests the attacker had only partial knowledge of the target systems but still wanted to guarantee that some form of interference would take place.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/db3d9922-458e-4500-aa93-804c7f028d51\/Hackers-Target-Israeli-Desalination-Plants-With-ZionSiphon-Sabotage-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYESDOQXVNR&amp;Signature=Jj8BnDGCK%2BVIQeFDJPqZT2bJ7rQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAYaCXVzLWVhc3QtMSJGMEQCIDyAcNkV%2F9Tz8Ye2yJDWA0u22Q2POlv3Z1QkezMKQ6QLAiBsoV0NKcopOyX1w%2FXO7CCDNIky4IgZtMpZf7vnKpACTir8BAjP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMWP%2B5Kd1JZowgk9qvKtAEQoJ9z%2F4dF0visV65Zdodu%2Fc8m3Wkn3K%2FXyMspkU3DRpiZqLaSy5SQ8D8f6%2B9v1uDfsjwt%2B3dOjqXTeq7BqbQ14erZpHUQuqIgQT7pgOoXpmfxC%2FFg1CiV5FKPOd9Z7TkQxOwEhPF9kdG2HdazmpdvKUkNQ5DTD2SPo9n82TrUlMjSHqkbICBSqm5EjV6VvN19jx7Y1qFWuc4xKG2V8yG9S7ftq5CcLuGbZTKO2rafXqKh4eTc237k1fyIp5UC3y305XZSOuWjoarqBBI%2FdxITTsxNWovb1NmSiMfYcthvQmIQuqyDKh1w4JSGVfqtFTGjnI9W8QBkvg48uvUckyVtEUSYJLzFHHrOYG1oJffIg81uM8fU5LP3Hr%2BIlS5bm54DIZfWtDIBtrFklI38mBvL6zTBOdTA8ZPj0aiAjz6MBwc6xt20v2LslrC%2FzbZUh8nZt8Y3yLqg%2F9ZO9NX%2FHS0WEL1yUh6o4kt8p4F0mZZLpxSEeGj06RADRFi%2Flk0U2TQRZHayq8FI6mQaeBLGcqOLWMVB%2BbymL9622SxNt%2BuGmcJOT0GCbGbrrw8WkokzDG6J4wXwy1hxatoCZj3SUCgwPA4WRFBnwOkOxsHbdPEmO2qZRdmMgcpL44k3igIm7M46hJsAFlxrBFDfrrQuhD9pFbMpxZ46CeikWPZ5RPbGOtLLSdNNJzvvVjm%2BR4%2F58KdGOQ3rYSyz2SbE%2B09sK1S4P6SXLZImmx8Ms61R1IR57Z5GYNf9%2BxWq5Emb2uoUIyhJTTKrXSHKMJjqj%2FZhOY1WDDdmYfPBjqZAUnMAprLr4mKsF2YzclMfiZscaR%2BvV%2F0k%2FuRjaEm94dlSH2XyLE74bVNzAc44cEccanbBTqFa3P0iFahS5vtoaPgdqjuj6cW7hFJuHw6GX%2FZ1WgEegmMlKh3b7NaBs4%2BkNqo8dGMNdnV6xr1mXT8MLXcjPkSJqoUmZ8TQE7jb%2FniEQTUcgE4b%2FK4QM3%2BVT6vtkPC95k%2FGTGm8w%3D%3D&amp;Expires=1776406576\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The DNP3 and S7comm branches of the malware appear unfinished. Both contain protocol-accurate prefix sequences, indicating the attacker intended to build multi-protocol OT attack capabilities, but the code fragments are too short and incomplete to form valid commands for those protocols. <\/p>\n<p>Darktrace\u2019s analysis suggests the analyzed version is either a development build, a prematurely deployed sample, or one that was intentionally kept limited for testing.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/db3d9922-458e-4500-aa93-804c7f028d51\/Hackers-Target-Israeli-Desalination-Plants-With-ZionSiphon-Sabotage-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYESDOQXVNR&amp;Signature=Jj8BnDGCK%2BVIQeFDJPqZT2bJ7rQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAYaCXVzLWVhc3QtMSJGMEQCIDyAcNkV%2F9Tz8Ye2yJDWA0u22Q2POlv3Z1QkezMKQ6QLAiBsoV0NKcopOyX1w%2FXO7CCDNIky4IgZtMpZf7vnKpACTir8BAjP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMWP%2B5Kd1JZowgk9qvKtAEQoJ9z%2F4dF0visV65Zdodu%2Fc8m3Wkn3K%2FXyMspkU3DRpiZqLaSy5SQ8D8f6%2B9v1uDfsjwt%2B3dOjqXTeq7BqbQ14erZpHUQuqIgQT7pgOoXpmfxC%2FFg1CiV5FKPOd9Z7TkQxOwEhPF9kdG2HdazmpdvKUkNQ5DTD2SPo9n82TrUlMjSHqkbICBSqm5EjV6VvN19jx7Y1qFWuc4xKG2V8yG9S7ftq5CcLuGbZTKO2rafXqKh4eTc237k1fyIp5UC3y305XZSOuWjoarqBBI%2FdxITTsxNWovb1NmSiMfYcthvQmIQuqyDKh1w4JSGVfqtFTGjnI9W8QBkvg48uvUckyVtEUSYJLzFHHrOYG1oJffIg81uM8fU5LP3Hr%2BIlS5bm54DIZfWtDIBtrFklI38mBvL6zTBOdTA8ZPj0aiAjz6MBwc6xt20v2LslrC%2FzbZUh8nZt8Y3yLqg%2F9ZO9NX%2FHS0WEL1yUh6o4kt8p4F0mZZLpxSEeGj06RADRFi%2Flk0U2TQRZHayq8FI6mQaeBLGcqOLWMVB%2BbymL9622SxNt%2BuGmcJOT0GCbGbrrw8WkokzDG6J4wXwy1hxatoCZj3SUCgwPA4WRFBnwOkOxsHbdPEmO2qZRdmMgcpL44k3igIm7M46hJsAFlxrBFDfrrQuhD9pFbMpxZ46CeikWPZ5RPbGOtLLSdNNJzvvVjm%2BR4%2F58KdGOQ3rYSyz2SbE%2B09sK1S4P6SXLZImmx8Ms61R1IR57Z5GYNf9%2BxWq5Emb2uoUIyhJTTKrXSHKMJjqj%2FZhOY1WDDdmYfPBjqZAUnMAprLr4mKsF2YzclMfiZscaR%2BvV%2F0k%2FuRjaEm94dlSH2XyLE74bVNzAc44cEccanbBTqFa3P0iFahS5vtoaPgdqjuj6cW7hFJuHw6GX%2FZ1WgEegmMlKh3b7NaBs4%2BkNqo8dGMNdnV6xr1mXT8MLXcjPkSJqoUmZ8TQE7jb%2FniEQTUcgE4b%2FK4QM3%2BVT6vtkPC95k%2FGTGm8w%3D%3D&amp;Expires=1776406576\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>ZionSiphon also includes a USB propagation feature. The malware scans for removable drives, copies itself to each one using the svchost.exe filename with hidden and system file attributes, and creates shortcut files that appear as regular documents. If a user clicks one of these shortcuts, they unknowingly execute the malware. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgBNWBBEuru_mSsZePe2sGAG_PI64RioCDC3idUksyyTvI768wO2v60gr_bGyItTCKB5kbAD1tXhegDWzNBcqcdUfXH6s68knXbbX9ipefESTavo3VkzkDYukoVJCFBNd9vQhIJU4-4znbP1PtKc62CZtIfYsN8OHeoocE1cv0c_29SSf7nmj827eGoWdA\/s16000\/USB%2520shortcut%2520creation%2520on%2520the%2520removable%2520drive%2520%28Source%2520-%2520Darktrace%29.webp?ssl=1\" alt=\"USB shortcut creation on the removable drive (Source - Darktrace)\"><figcaption class=\"wp-element-caption\">USB shortcut creation on the removable drive (Source \u2013 Darktrace)<\/figcaption><\/figure>\n<\/div>\n<p>For organizations operating critical infrastructure, especially in the water and utilities sectors, Darktrace\u2019s research underscores the importance of continuous monitoring for anomalous behavior across both IT and OT environments. <\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/security-teams-shrink-as-automation-rises\/\" id=\"100650\" target=\"_blank\" rel=\"noreferrer noopener\">Security teams<\/a> should keep close visibility on industrial control system networks, monitor for unexpected configuration file changes in ICS directories, watch for USB-based propagation attempts, and ensure that Modbus, DNP3, and S7comm traffic is logged and analyzed. <\/p>\n<p>Cross-visibility between IT and OT environments remains essential for catching early-stage threats like ZionSiphon before they can cause real-world harm.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/db3d9922-458e-4500-aa93-804c7f028d51\/Hackers-Target-Israeli-Desalination-Plants-With-ZionSiphon-Sabotage-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYESDOQXVNR&amp;Signature=Jj8BnDGCK%2BVIQeFDJPqZT2bJ7rQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAYaCXVzLWVhc3QtMSJGMEQCIDyAcNkV%2F9Tz8Ye2yJDWA0u22Q2POlv3Z1QkezMKQ6QLAiBsoV0NKcopOyX1w%2FXO7CCDNIky4IgZtMpZf7vnKpACTir8BAjP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMWP%2B5Kd1JZowgk9qvKtAEQoJ9z%2F4dF0visV65Zdodu%2Fc8m3Wkn3K%2FXyMspkU3DRpiZqLaSy5SQ8D8f6%2B9v1uDfsjwt%2B3dOjqXTeq7BqbQ14erZpHUQuqIgQT7pgOoXpmfxC%2FFg1CiV5FKPOd9Z7TkQxOwEhPF9kdG2HdazmpdvKUkNQ5DTD2SPo9n82TrUlMjSHqkbICBSqm5EjV6VvN19jx7Y1qFWuc4xKG2V8yG9S7ftq5CcLuGbZTKO2rafXqKh4eTc237k1fyIp5UC3y305XZSOuWjoarqBBI%2FdxITTsxNWovb1NmSiMfYcthvQmIQuqyDKh1w4JSGVfqtFTGjnI9W8QBkvg48uvUckyVtEUSYJLzFHHrOYG1oJffIg81uM8fU5LP3Hr%2BIlS5bm54DIZfWtDIBtrFklI38mBvL6zTBOdTA8ZPj0aiAjz6MBwc6xt20v2LslrC%2FzbZUh8nZt8Y3yLqg%2F9ZO9NX%2FHS0WEL1yUh6o4kt8p4F0mZZLpxSEeGj06RADRFi%2Flk0U2TQRZHayq8FI6mQaeBLGcqOLWMVB%2BbymL9622SxNt%2BuGmcJOT0GCbGbrrw8WkokzDG6J4wXwy1hxatoCZj3SUCgwPA4WRFBnwOkOxsHbdPEmO2qZRdmMgcpL44k3igIm7M46hJsAFlxrBFDfrrQuhD9pFbMpxZ46CeikWPZ5RPbGOtLLSdNNJzvvVjm%2BR4%2F58KdGOQ3rYSyz2SbE%2B09sK1S4P6SXLZImmx8Ms61R1IR57Z5GYNf9%2BxWq5Emb2uoUIyhJTTKrXSHKMJjqj%2FZhOY1WDDdmYfPBjqZAUnMAprLr4mKsF2YzclMfiZscaR%2BvV%2F0k%2FuRjaEm94dlSH2XyLE74bVNzAc44cEccanbBTqFa3P0iFahS5vtoaPgdqjuj6cW7hFJuHw6GX%2FZ1WgEegmMlKh3b7NaBs4%2BkNqo8dGMNdnV6xr1mXT8MLXcjPkSJqoUmZ8TQE7jb%2FniEQTUcgE4b%2FK4QM3%2BVT6vtkPC95k%2FGTGm8w%3D%3D&amp;Expires=1776406576\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 90%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in\u00a0<a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google<\/a>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/hackers-target-israeli-desalination-plants\/\">Hackers Target Israeli Desalination Plants With ZionSiphon Sabotage Malware<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/hackers-target-israeli-desalination-plants\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers Target Israeli Desalination Plants With ZionSiphon Sabotage Malware A newly discovered piece of malware called ZionSiphon has raised serious concerns about the security of critical water infrastructure in Israel. The malware was built with a clear focus: to infiltrate and potentially sabotage Israeli water treatment and desalination systems, the very facilities responsible for providing [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-12188","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12188"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=12188"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12188\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=12188"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=12188"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=12188"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}