CSA Research — ZionSiphon AI-Assisted ICS Malware Targeting Water Infrastructure
AI relevance: ZionSiphon embeds an MCP server in its C2 stack that feeds stolen OT telemetry to an LLM for AI-generated analysis of exploitable conditions, and code analysis reveals LLM-assisted development in the malware itself — the first documented case of an AI-assisted OT sabotage toolchain.
- The Cloud Security Alliance AI Safety Initiative published a research note on April 21, 2026 analyzing ZionSiphon, an ICS malware family targeting Israeli water treatment and desalination facilities.
- First seen on VirusTotal on June 29, 2025, shortly after the Twelve-Day War ceasefire. The malware contains embedded strings referencing "poisoning the population of Tel Aviv and Haifa."
- AI-assisted C2: The malware's C2 architecture includes an MCP server that exfiltrates reconnaissance data to an LLM, providing the operator with AI-generated analysis of environmental data and exploitable conditions.
- LLM-assisted development: Code analysis shows hallmarks of AI-generated code in portions of the malware, consistent with Darktrace's broader 2026 findings on LLM-generated malware in the wild.
- The malware implements a two-stage geographic/environmental filter: it checks the victim's IP against hardcoded Israeli network ranges and scans for water/desalination-related process names and paths before activating its payload.
- Targeted OT protocols include Modbus (port 502), DNP3 (port 20000), and S7comm (port 102). The Modbus attack path is most developed — designed to force elevated chlorine dosing, open valves, maximize pump flow, and increase reverse osmosis pressure.
- The current sample is non-functional due to an XOR key mismatch in the country-validation logic that triggers a self-destruct — but incomplete DNP3 and S7comm implementations indicate active development, not abandonment.
- ZionSiphon fits within a broader Iranian-linked campaign (Storm-0784/CyberAv3ngers) against water infrastructure that escalated to confirmed operational disruption across US facilities by April 2026.
Why it matters
This is the first documented malware sample combining LLM-assisted development, an MCP-based AI analysis layer in C2, and OT sabotage intent. The use of an MCP server for C2 is novel — the protocol designed for legitimate AI tool integration is being repurposed to structure stolen operational data for AI-assisted targeting. Water and wastewater utilities should treat this as an immediate call to audit OT network segmentation.
What to do
- Audit OT network segmentation: ensure control networks have no exposure to corporate IT or internet-connected jump hosts.
- Review USB device policies at water/wastewater facilities — the malware spreads via removable media.
- Monitor for anomalous Modbus register writes, especially to chlorine dosing and pump control registers.
- Treat MCP-based C2 channels as an emerging TTP — network monitoring should flag unusual MCP traffic from non-standard hosts.