New ZionSiphon malware targets water systems, and allows attackers to alter pressure and chlorine levels. A flaw makes it ineffective for now.

Darktrace analyzed ZionSiphon, a new malware designed to target water treatment and desalination systems, which aims to disrupt operations by altering hydraulic pressure and increasing chlorine levels to unsafe levels.

The malware combines common techniques like privilege escalation, persistence, and spreading via removable media with logic tailored to operational technology environments. ZionSiphon scans networks for OT services, modifies configurations, and focuses on Israeli targets using hardcoded IP ranges. Its code also contains political messages, suggesting ideological motives. However, parts of the implementation appear incomplete, indicating it may still be under development despite its potentially disruptive intent.

“The clearest indicators of intent in this sample are its hardcoded Israel-focused targeting checks and the strong political messaging found in some strings in the malware’s binary.” reads the report published by Darktrace. “In the class initializer, the malware defines a set of IPv4 ranges, including “2.52.0.0-2.55.255.255”, “79.176.0.0-79.191.255.255”, and “212.150.0.0-212.150.255.255”, indicating that the author intended to restrict execution to a narrow range of addresses. All of the specified IP blocks are geographically located within Israel.”

ZionSiphon includes Base64-encoded strings revealing clear political messaging, supporting groups opposing Israel and referencing harm to cities like Tel Aviv and Haifa. These messages highlight ideological motives. The malware also targets Israeli infrastructure, with hardcoded IP ranges and references to key water facilities and desalination plants. It checks for processes and files linked to water treatment systems, confirming a focused intent on disrupting Israel’s water sector.

ZionSiphon starts by checking if it has admin rights. If not, it relaunches itself using PowerShell with elevated privileges. Once active, it installs persistence by copying itself to a hidden path as “svchost.exe” and adding a registry autorun key to blend in with normal system activity.

It then checks if the system matches its target. It verifies the IP against specific ranges and looks for processes, files, and directories linked to water treatment or desalination systems. If the system doesn’t match, it deletes itself and cleans traces.

If the target is valid, it modifies local configuration files to increase chlorine levels and pressure. It scans the local network for OT devices using protocols like Modbus, DNP3, and S7, and attempts to interact with them. The Modbus logic is the most developed, allowing it to read and modify registers. Other protocols appear incomplete.

The malware also spreads via USB drives by copying itself as a hidden file and creating fake shortcuts that execute it when opened.

“The malware also includes a removable-media propagation mechanism. The “sdfsdfsfsdfsdfqw()” function scans for drives, selects those identified as removable, and copies the hidden payload to each one as “svchost.exe” if it is not already present. The copied executable is marked with the “Hidden” and “System” attributes to reduce visibility.” continues the report.

Overall, it mixes working capabilities with unfinished parts, suggesting it is still under development.

The researchers note that this version of ZionSiphon contains sabotage and scanning features, but fails in its own targeting logic. The malware compares encoded values to verify if a system belongs to a specific country, but the encryption function produces a different result than expected. Because of this mismatch, the check always fails, even on valid targets, so the malware never activates its payload.

“Although the file contains sabotage, scanning, and propagation functions, the current sample appears unable to satisfy its own target-country checking function even when the reported IP falls within the specified ranges.” continues the report. “This behavior suggests that the version is either intentionally disabled, incorrectly configured, or left in an unfinished state.”

When the target check fails, the malware triggers a self-destruct routine. It removes its persistence from the registry, writes a log message explaining the mismatch, and creates a script that repeatedly tries to delete the malware before removing itself. This suggests the sample is either unfinished, misconfigured, or intentionally disabled.

“Even in its unfinished state, ZionSiphon underscores a growing trend in which threat actors are increasingly experimenting with OT‑oriented malware and applying it to the targeting of critical infrastructure.” concludes the report. “Continued monitoring, rapid anomaly detection, and cross‑visibility between IT and OT environments remain essential for identifying early‑stage threats like this before they evolve into operationally viable attacks.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, ZionSiphon malware)

Hackers breached Venice ’s San Marco flood system, claiming control of pumps and the ability to disable defenses and flood coastal areas.

The technologies that govern the physical world are the quiet infrastructure of modern life. From energy grids to water systems, from factories to flood defenses, operational technology (OT) has long had one essential mission: to keep everything running.

But today, that is no longer enough. The question the market is asking has fundamentally changed: can these systems withstand a cyberattack? If the answer is no, then what we are building is not infrastructure, it is vulnerability at scale.

This shift is not theoretical. It is happening now, and recent events in Venice have made it painfully real.

A cyberattack recently targeted the hydraulic pump system that protects Piazza San Marco (Venice) from flooding, an iconic location visited by millions each year. The threat actor, operating under names such as “Infrastructure Destruction Squad” or “Dark Engine,” claimed to have gained administrative access to the system. In their own words, they suggested they could “disable defenses and flood coastal areas,” turning a digital intrusion into a potential physical disaster.

The group announced the security breach on its Telegram channel with the following post written in Chinese language:

“We, the Infrastructure Destruction Squad, hereby formally announce the truth about the San Marco incident:

Yes, you conducted new checks after the attack in late March. Yes, equipment tests came back positive after Easter. But what you haven’t understood is that we refused to completely shut down the flood defense system.

We are not here to destroy you. We are simply here to deliver a message: We can do it, and we are still inside your network.

No tests conducted by your security teams can drive us away. No system updates can expel us. We have been here for months and will remain here for months to come.

Any newspaper that disseminates this news without understanding the truth, prepare for a devastating attack. We will prove to you that you are vulnerable.”

The breach reportedly began in late March, with attackers accessing the control interface of the system. By early April, they started releasing evidence, screenshots of control panels, system layouts, and valve states. Hackers claimed they breached Italy’s flood risk reduction system, gaining full control to potentially disable defenses and flood areas. They said the goal was to expose critical infrastructure weaknesses and even enable political pressure. The group also offered to sell full root access to the system for just $600, highlighting both the severity of the breach and the low barrier to potential misuse.

“We announce the hacking of the system: SISTEMA DI RIDUZIONE RISCHIO ALLAGAMENTO (Flood Risk Reduction System) belonging to the Italian Ministry of Infrastructure and Transport. We have taken full control of the system. Political objective: To expose the vulnerability of Italy’s critical infrastructure. Control of this system enables the disabling of floodgates, flooding of coastal areas, and political blackmail of the Italian government. Offer for sale: We are granting full root access to the control system. The price is 600 USD for any party wishing to purchase access.”

While authorities confirmed that critical systems protecting the Basilica di San Marco remained unaffected, the incident exposed a deeply concerning reality: even highly symbolic and strategically important infrastructure can be probed, accessed, and potentially manipulated.

Such kind of incidents are really concerning because, unlike traditional IT systems, OT directly interacts with the physical processes. When compromised, the consequences are not just data loss, but service disruption, economic damage, and even threats to public safety.

This is not an isolated case. Across the globe, critical infrastructure is becoming increasingly exposed. The convergence of IT and OT, remote access for maintenance, and the widespread use of legacy technologies have created a perfect storm of risk. Many industrial systems were never designed with security in mind. They were built for longevity and reliability, not resilience against adversaries. And adversaries are evolving fast.

On April 7, 2026, U.S. agencies, including FBI, CISA, and NSA, warned of Iran-linked APTs exploiting internet-exposed OT systems.

Threat actors are carrying out cyberattacks targeting internet-connected operational technology (OT) across multiple critical infrastructure sectors. Iran-linked actors are believed to be behind the activity, aiming to cause disruption in areas such as government services, water systems, and energy.

The attacks involve manipulating project files and altering data shown on HMI and SCADA systems, leading in some cases to operational disruptions and financial losses. Authorities urged organizations to review indicators of compromise and apply mitigations to reduce risks. The campaign has been linked to groups like CyberAv3ngers, associated with Iran’s IRGC.

These actors are not necessarily exploiting unknown vulnerabilities, they are often leveraging legitimate tools and exposed interfaces to gain access and manipulate operations.

In other words, the attack surface is not just technical, it is architectural.

The Venice incident also highlights a broader strategic shift. This was not a typical ransomware attack aimed at financial gain. The symbolic “price” reportedly associated with access, just a few hundred dollars suggests a different motivation. The goal appears to be demonstration and disruption, a way to show that critical infrastructure can be reached, influenced, and potentially weaponized.

For organizations operating in industrial sectors, the implications are profound. Security can no longer be an afterthought, something added later as a patch or a compliance checkbox. It must be embedded from the start, secure-by-design.

That means:

• Controlled and monitored access
• Strong authentication mechanisms
• Segmentation between IT and OT networks
• Continuous monitoring and threat detection
• Protection of remote connections and supply chains

Companies that fail to adopt these principles are not just behind, they are exposing themselves and their customers to unacceptable risk. And yet, within this challenge lies a major opportunity.

In today’s industrial landscape, success is no longer defined by building machines that simply work. It is defined by building systems that remain trustworthy, even when under attack. The winners will be those who can guarantee not just performance, but resilience.

This is a win-win scenario. Secure systems protect businesses, ensure continuity, and safeguard public trust. They also create competitive advantage in a market that increasingly values reliability under pressure.

The story of Venice is a warning, but also a lesson.

It reminds us that the line between cyber and physical is gone. That a vulnerability in code can translate into water rising in a historic square. That attackers no longer need to break in with force, they can log in.

And most importantly, it reinforces a simple but urgent truth:

In the world of OT, security is no longer optional. It is foundational.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Venice)

Censys researchers found 5,219 exposed Rockwell PLCs online, mostly in the U.S., urging defenders to secure or disconnect them.

On April 7, 2026, U.S. agencies, including FBI, CISA, and NSA, warned of Iran-linked APTs exploiting internet-exposed Rockwell Automation PLCs.

Threat actors are carrying out cyberattacks targeting internet-connected operational technology (OT) across multiple critical infrastructure sectors. Iran-linked actors are believed to be behind the activity, aiming to cause disruption in areas such as government services, water systems, and energy.

The attacks involve manipulating project files and altering data shown on HMI and SCADA systems, leading in some cases to operational disruptions and financial losses. Authorities urged organizations to review indicators of compromise and apply mitigations to reduce risks. The campaign has been linked to groups like CyberAv3ngers, associated with Iran’s IRGC.

Organizations are advised to assess exposed devices, follow security guidance from vendors, disconnect systems from the internet where possible, and coordinate with authorities for incident response and mitigation support.

Censys researchers identified 5,219 exposed devices globally, 74.6% in the U.S., many on cellular networks. Analysis of indicators suggests multiple IPs tied to a single compromised engineering workstation, expanding the known attack surface beyond initial disclosures.

“Censys identifies 5,219 internet-exposed hosts globally responding to EtherNet/IP (port 44818) and self-identifying as Rockwell Automation/Allen-Bradley devices.” reads the report published by Censys. “Geographic distribution is heavily skewed toward the United States, which accounts for 74.6% of global exposure — consistent with Rockwell’s dominant market position in North American industrial automation.”

The researchers pointed out that the exposure of Rockwell Automation PLCs extends beyond the U.S., with notable concentrations in Spain, Taiwan, and Italy, while Iceland shows disproportionate exposure. According to Censys, many devices are connected via cellular networks, with providers like Verizon and AT&T accounting for a large share. This indicates field-deployed systems (e.g., utilities and substations) relying on cellular or even satellite links like Starlink, making monitoring and patching difficult.

Most exposed devices belong to MicroLogix and CompactLogix families, often running outdated firmware.

“EtherNet/IP identity responses expose device-level product strings, enabling granular fingerprinting of PLC model and firmware revision without authentication.” continyes the report. “The top 15 product strings are dominated by two families: MicroLogix 1400 (catalog prefix 1766-) and CompactLogix (1769-, 5069-), with one Micro820 (2080-) entry.”

Since device details can be identified remotely without authentication, attackers can easily scan, identify, and prioritize vulnerable systems, increasing risks for sectors like energy and water infrastructure.

Censys found that 5,219 exposed Rockwell Automation PLC hosts often run extra services beyond EtherNet/IP, increasing risk. Key exposures include VNC for remote HMI access, Telnet (cleartext legacy access), Modbus for OT communication, and Red Lion Crimson in mixed-vendor setups. These services expand attack paths and raise the risk to industrial systems.

The report also provides Indicators of Compromise (IOCs) and technical details about the operator infrastructure.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Rockwell PLCs)

Exposed ICS devices and insecure protocols like Modbus increase risks to critical infrastructure, enabling disruption, data access, and potential sabotage.

Malware targeting industrial control systems (ICS) poses a serious risk to critical infrastructure, with threats like Stuxnet, Industroyer, Triton, Havex, and BlackEnergy already demonstrating the ability to disrupt operations, cause outages, and even inflict physical damage. Recent research shows that ICS vulnerability disclosures nearly doubled between 2024 and 2025, driven in part by increased interest from threat actors targeting sectors such as energy, manufacturing, and utilities.

A key concern is the exposure of ICS devices to the internet, especially those using legacy protocols like Modbus. Widely used in industrial environments to enable communication between sensors and controllers, Modbus lacks basic security features such as encryption and authentication. This makes internet-exposed devices particularly vulnerable, as attackers can both read and modify data without needing credentials.

To better understand the scale of the issue, researchers conducted a global scan for devices responding on port 502, the default port for Modbus. Out of 311 initial responses, 179 were identified as likely real ICS devices after filtering out honeypots and unreliable data. These devices were found across multiple countries, with the United States hosting the largest number (57), followed by Sweden (22) and Turkey (19).

Some of the exposed systems were linked to highly sensitive environments. For example, one device appeared to be part of a national railway network, where ICS systems are used for train routing and signalling—functions critical to both safety and operations. Other devices were tied to national power grids in Europe and Asia, where ICS technology plays a central role in monitoring energy consumption and controlling distribution.

In terms of vendors, many devices did not reveal detailed manufacturer information, which is common for custom or embedded systems. However, among those that did, Schneider Electric devices were the most common, followed by Data Electronics and ABB Stotz-Kontakt.

“The majority of devices (128) only exposed their firmware versions and/or internal IDs without including a vendor string. This is to be expected from custom controllers or embedded modules.” reads the report published by Comparitech. “A total of 54 devices did advertise their manufacturer (though not always their model information). Schneider devices were most prevalent (22 instances), followed by Data Electronics (14 instances) and ABB Stotz-Kontakt (6 instances).”

Examples of exposed equipment included logic controllers, processor modules, energy meters, and power quality loggers—components essential for managing industrial processes and electrical systems.

Exposing device details such as make and model increases the risk further. Attackers can use this information to locate documentation like register maps, which define how data is stored and interpreted within the device. These registers may contain critical operational data such as temperature, voltage, pressure, or system status. In one case, researchers were able to monitor real-time energy consumption of a live system using publicly available documentation.

Even when device details are not explicitly disclosed, attackers may infer their function by analyzing how data values change over time. Since Modbus allows write access without authentication, attackers could alter register values, potentially disrupting operations. Even small changes could have cascading effects on industrial processes that rely on accurate sensor data.

The broader context makes the issue even more urgent. The global ICS market is growing rapidly, expected to more than double in value by 2033. As more devices are connected to networks, the attack surface expands, increasing the likelihood of exploitation if proper security measures are not implemented.

From a defensive standpoint, basic protections such as firewalls, VPNs, network segmentation, and strong authentication are essential to prevent unauthorized access. However, many ICS environments still rely on outdated architectures that were originally designed for isolated networks, not today’s interconnected landscape.

The research highlights how even attackers with limited technical skills could exploit exposed ICS devices, particularly those using insecure protocols like Modbus, DNP3, or BACnet.

“From an attacker’s perspective, devices running protocols like Modbus (as well as DNP3, or BACnet) are particularly vulnerable because they were designed for closed networks and often lack built-in authentication or encryption.” continues the report. “These devices could be exploited by attackers with limited technical expertise if exposed directly to the internet. This is particularly concerning given some ICS devices’ critical role in economic activity and essential infrastructure.”

Given the critical role these systems play in infrastructure and economic activity, their compromise could have wide-ranging consequences, from service disruptions to safety hazards.

In summary, the growing exposure of ICS devices, combined with insecure legacy protocols and increasing attacker interest, creates a high-risk environment. Without significant improvements in how these systems are secured and managed, industrial infrastructure will remain a prime target for cyber threats.

More info is included in the report by Justin Schamotta and Mantas Sasnauskas.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ICS)

U.S. agencies warn Iran-linked threat actors are targeting internet-exposed PLCs used in critical infrastructure networks.

U.S. agencies, including the FBI and CISA, warn that Iran-linked hackers are targeting internet-exposed Rockwell/Allen-Bradley PLCs used in critical infrastructure. The agencies published a joint advisory involving multiple federal organizations.

“Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley.” reads the joint advisory. “This activity has led to PLC disruptions across several U.S. critical infrastructure sectors through malicious interactions with the project file and manipulation of data on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays, resulting in operational disruption and financial loss.”

Threat actors are carrying out cyberattacks targeting internet-connected operational technology (OT) across multiple critical infrastructure sectors. Iran-linked actors are believed to be behind the activity, aiming to cause disruption in areas such as government services, water systems, and energy.

The attacks involve manipulating project files and altering data shown on HMI and SCADA systems, leading in some cases to operational disruptions and financial losses. Authorities urge organizations to review indicators of compromise and apply mitigations to reduce risks. The campaign has been linked to groups like CyberAv3ngers, associated with Iran’s IRGC.

Organizations are advised to assess exposed devices, follow security guidance from vendors, disconnect systems from the internet where possible, and coordinate with authorities for incident response and mitigation support.

“The FBI assesses a group of Iranian-affiliated APT actors are targeting internet-exposed PLCs with the intent to cause disruptions—including maliciously interacting with project files, and manipulating data displayed on HMI and SCADA displays—to U.S. critical infrastructure organizations.” conctinues the alert. “Iranian-affiliated APT targeting campaigns against U.S. organizations have recently escalated, likely in response to hostilities between Iran, and the United States and Israel.

During a campaign starting in November 2023, IRGC-linked hackers known as CyberAv3ngers targeted U.S. PLCs and HMIs, disrupting operations. Also tracked under multiple names, the group compromised at least 75 devices, including Unitronics PLCs used across sectors like water and wastewater systems.

“During a similar campaign beginning in November 2023, the IRGC CEC-affiliated cyber threat actors known as “CyberAv3ngers” targeted U.S.-based PLCs and HMIs, causing disruptive effects. Private industry and open sources also refer to this group as Hydro Kitten, Storm-0784, APT Iran, Bauxite, Mr. Soul, Soldiers of Solomon, UNC5691, and the Shahid Kaveh Group. These attacks compromised at least 75 devices, targeting U.S.-based Unitronics PLC devices with an HMI used across multiple critical infrastructure sectors, including WWS”

According to the joint advisory, Iran-linked actors gained initial access to internet-facing Rockwell/Allen-Bradley PLCs using overseas IPs and leased infrastructure, leveraging tools like Studio 5000 Logix Designer. They targeted devices such as CompactLogix and Micro850. For command and control, attackers used ports including 44818, 2222, 102, 22, and 502, and deployed SSH tools like Dropbear for remote access. Activity suggests possible targeting of other vendors, including Siemens PLCs. The attacks enabled the extraction of project files and manipulation of data on HMI and SCADA systems, causing disruption.

Government experts recommend disconnecting PLCs from the internet or protecting them with a firewall, monitoring OT ports for suspicious traffic, scanning logs for indicators of compromise, enabling multifactor authentication, updating firmware, disabling unused services or default keys, and continuously monitoring network activity.

In Mid-March, EU sanctioned Chinese and Iranian firms and individuals for cyberattacks targeting critical infrastructure and over 65,000 devices across member states.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)