HackWatch
! High riskMW Malware

ZionSiphon Malware Targets Israeli Water Treatment Facilities with Operational Technology Sabotage

Malware coverage focused on infection paths, containment steps and indicators defenders should watch.

Malware activity flagged. Isolate affected systems, preserve logs and block persistence or command-and-control channels before recovery.
ZionSiphon Malware Targets Israeli Water Treatment Facilities with Operational Technology Sabotage - HackWatch malware alert image
HackWatch malware alert image for: ZionSiphon Malware Targets Israeli Water Treatment Facilities with Operational Technology Sabotage
Marcin Pocztowski

Infrastructure Security Editor

Marcin Pocztowski

Infrastructure and Vulnerability Response

By: Marcin Pocztowski

Published: Apr 20, 2026

Updated: May 01, 2026

Incident status: Active threat

Corroborating sources: 1

Technical review credentials: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.

The published article is checked against public sources before publication, and material corrections are reflected in the article update date.

Technical reviewer note: Marcin Pocztowski reviewed this alert on May 01, 2026 as a network administrator, looking first at device role, exposed management planes, VPN or routing impact and the order in which changes can be made without breaking production traffic. His note is deliberately operational: on Juniper-style edge or firewall environments, isolate admin access and preserve logs before patching, and do not claim broader exposure than the 1 corroborating source can prove.

Review our editorial policy or send corrections to [email protected].

Active threat. The incident should still be treated as active until confirmed mitigation or patch adoption is verified.

A newly discovered malware strain named ZionSiphon has been identified targeting Israeli water treatment and desalination plants. Designed specifically for operational technology (OT) sabotage, ZionSiphon restricts its activity to Israeli network IP ranges, indicating a highly targeted attack aimed at disrupting critical water infrastructure.

What happened

Security researchers have uncovered a novel malware strain dubbed ZionSiphon that specifically targets operational technology systems within Israeli water treatment and desalination facilities. Unlike typical IT-focused malware, ZionSiphon is engineered for sabotage within OT environments, aiming to disrupt water system operations rather than merely causing IT network disturbances.

The malware was detected restricting its activity to hardcoded IPv4 address ranges associated exclusively with Israeli networks, including 2.52.0.0–2.55.255.255, 79.176.0.0–79.191.255.255, and 212.150.0.0–212.150.255.255. This targeting indicates a deliberate focus on Israeli critical infrastructure.

Confirmed facts

  • ZionSiphon is an operational technology (OT) malware strain designed for sabotage rather than simple IT disruption.
  • The malware's code includes hardcoded IPv4 ranges that correspond to Israeli network spaces.
  • Targeted systems are water treatment and desalination facilities in Israel.
  • The malware was analyzed and reported by cybersecurity researchers, including Darktrace, and initially disclosed by GBHackers Security.
  • ZionSiphon’s behavior suggests it aims to interfere with industrial control systems managing water infrastructure.

Who is affected

The primary victims are Israeli water treatment and desalination plants, which rely on operational technology systems to manage water purification and distribution. Given the critical nature of these facilities, any disruption could have significant public health and safety implications.

Secondary stakeholders include Israeli citizens dependent on these water services, government agencies responsible for infrastructure security, and cybersecurity teams tasked with defending critical infrastructure.

What to do now

Organizations responsible for water treatment and OT environments in Israel should immediately:

  1. Conduct comprehensive network scans to detect any presence of ZionSiphon or related malware.
  2. Review firewall and network access controls to ensure no unauthorized connections exist within the identified IP ranges.
  3. Monitor OT system logs for unusual activity or commands that could indicate sabotage attempts.
  4. Isolate critical OT systems from broader corporate IT networks where feasible.
  5. Engage cybersecurity incident response teams to investigate and remediate any infections.
  6. Coordinate with national cybersecurity authorities to share threat intelligence and receive guidance.

Why this matters

Water treatment and desalination facilities are critical infrastructure components essential for public health and safety. Sabotage of these systems can lead to water contamination, supply disruption, and widespread public harm.

The emergence of ZionSiphon underscores the increasing sophistication of cyber threats targeting OT environments, which historically have been less protected than traditional IT systems. This attack also highlights the geopolitical sensitivity of Israeli infrastructure and the potential for cyber operations to be used as tools of sabotage.

What defenders should verify

  • Confirm that network segmentation between IT and OT environments is robust and enforced.
  • Validate that all OT devices and control systems are running up-to-date firmware and security patches.
  • Check for any unauthorized remote access or lateral movement within the OT network.
  • Ensure that monitoring tools are tuned to detect unusual commands or operational anomalies indicative of sabotage.
  • Review and update incident response plans to include scenarios involving OT sabotage malware.

Prevention

To reduce the risk of similar attacks, organizations should implement the following measures:

  • Enforce strict network segmentation between IT and OT systems.
  • Employ intrusion detection and prevention systems tailored for OT environments.
  • Conduct regular security audits and penetration tests focusing on OT infrastructure.
  • Train staff on cybersecurity awareness specific to OT risks.
  • Maintain an updated inventory of all OT assets and their security posture.
  • Establish real-time monitoring and alerting for anomalous activities within OT networks.
  • Collaborate with national cybersecurity agencies and industry partners to share threat intelligence.

Sources and corroboration

This article is based on multiple corroborating reports, primarily the detailed analysis published by GBHackers Security and investigations by Darktrace. These sources confirm the technical details and targeted nature of ZionSiphon malware against Israeli water infrastructure.

  • GBHackers Security: https://gbhackers.com/zionsiphon-hits-israeli-water/

The consolidation of these sources ensures a comprehensive understanding of the threat and its implications for critical infrastructure security.

Sources used for this article

gbhackers.com

Marcin Pocztowski

Real reviewer profile

Marcin Pocztowski

Infrastructure Security Editor at HackWatch.io

Open reviewer profile

Marcin Pocztowski is the owner of MMPS and an infrastructure security editor for HackWatch. His public technical record spans 20 years, from Security+ evidence dated January 2006 through Juniper, Cisco and RHCSA records, and he reviews server, network and vulnerability-response coverage for source accuracy and practical remediation.

Infrastructure Security Editor: technical-density, source-existence and remediation-logic review for infrastructure and vulnerability coverage.

Coverage focus: Server and network hardening, vulnerability response, patch prioritization and infrastructure security review

Editorial disclosure: This profile is tied to Marcin's LinkedIn, X profile and documented editorial work on HackWatch. Historical certificates are treated as background evidence only, not as current active credentials.

Marcin leads this malware alerts coverage lane at HackWatch. This article is maintained as part of the ongoing editorial watch around "ZionSiphon Malware Targets Israeli Water Treatment Facilities with Operational Technology Sabotage".

Technical review: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Server and network infrastructure administrationKnown exploited vulnerabilities and patch prioritizationCVSS v4.0 and CISA KEV triage