Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 18, 2026 · 7 min read

Someone Built Malware to Poison Israel's Water Supply—A Single Coding Mistake Stopped It

ZionSiphon is a new OT malware designed to raise chlorine dosing and hydraulic pressure in Israeli water treatment plants. A flawed XOR validation rendered it inert, but security researchers warn the next version could fix the error.

An industrial water treatment facility at dusk with faint red warning indicators

What ZionSiphon Was Built to Do

Researchers at Darktrace discovered a new malware purpose built to sabotage water treatment and desalination systems. Called ZionSiphon, it contains a function named IncreaseChlorineLevel() that attempts to tamper with local configuration files by injecting parameters including Chlorine_Dose=10, Chlorine_Flow=MAX, and RO_Pressure=80.

If those values were applied to a real water treatment system, they could push chlorine dosing and reverse osmosis pressure to dangerous levels, potentially making water unsafe for human consumption.

Named Targets: Israel's National Water Infrastructure

The malware does not hide its intent. Embedded strings reference specific Israeli infrastructure by name: Mekorot (the national water company), four of Israel's five major seawater desalination plants (Sorek, Hadera, Ashdod, and Palmachim), and the Shafdan central wastewater treatment facility.

Hardcoded IPv4 ranges restrict execution to Israeli networks, covering address blocks assigned to Israeli service providers. An environment detection function called IsDamDesalinationPlant() scans for water treatment specific process names including DesalPLC, ChlorineCtrl, ReverseOsmosis, and WaterGenix, and checks for directories like C:\Program Files\Desalination.

How It Spreads: USB for Air Gapped Systems

Water treatment systems are typically air gapped, meaning they are not connected to the internet. ZionSiphon accounts for this by spreading through USB drives. The malware copies itself to removable media as a hidden file named svchost.exe and creates malicious Windows shortcut files that execute the payload when clicked.

This propagation method targets the human link in the chain: an employee who plugs a USB drive into an operational technology computer. It is the same vector that Stuxnet used to reach Iranian nuclear centrifuges over a decade ago, and it remains effective because air gapped systems must still receive data from somewhere.

The Bug That Saved the Water Supply

Despite its alarming capabilities, ZionSiphon does not work. The malware's country validation check uses an XOR cipher with key value 5 to encode the target string "Israel." But the encoded value it expects does not match what the cipher actually produces. Every time the malware runs the check, it fails and triggers a self destruct routine instead of executing the payload.

Darktrace characterized this as either a development build that was prematurely leaked, an intentional defanging for testing purposes, or simply a programming error. Regardless of the reason, the flaw is trivial to fix. A single corrected string constant would make the malware functional.

Industrial Protocol Support: Partial but Growing

ZionSiphon scans local networks for devices communicating over three industrial control protocols: Modbus on port 502, DNP3 on port 20000, and S7comm on port 102. The Modbus implementation is partially functional, capable of reading holding registers and attempting dynamic discovery before falling back to hardcoded write operations targeting chlorine dosing parameters.

The DNP3 and S7comm code is incomplete, containing placeholder structures without proper address fields or CRC blocks. This suggests active development. The malware author has built the scaffolding for multi protocol ICS attacks but has not finished the implementation. Future versions are likely to expand this capability.

The Political Messaging

Base64 encoded strings within the malware contain political declarations. One decodes to a statement of support for Iran, Palestine, and Yemen "against Zionist aggression," signed by an entity calling itself "0xICS." Another references "Poisoning the population of Tel Aviv and Haifa" and mentions Dimona, the location of Israel's nuclear research facility.

This positions ZionSiphon as a politically motivated weapon rather than a criminal tool. The embedded messages suggest alignment with a broader pattern of state affiliated cyber operations targeting critical infrastructure in geopolitically significant regions.

Why a Broken Weapon Still Matters

It is tempting to dismiss ZionSiphon because the current version does not work. That would be a mistake. The malware demonstrates intent and capability in a domain where both are rare. Purpose built OT malware targeting water systems has only appeared a handful of times in the wild, most notably during the 2021 Oldsmar, Florida incident where an operator briefly raised sodium hydroxide levels 100 fold before the change was caught.

The gap between a broken prototype and a functional weapon is small. A single XOR constant fix enables geographic targeting. A completed DNP3 implementation enables direct protocol manipulation. A corrected S7comm frame enables attacks against Siemens PLCs, which are widely deployed in water treatment globally.

Organizations operating water treatment or other critical infrastructure should treat ZionSiphon as an indicator of escalating threat sophistication, not as a failed experiment to ignore.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.