One day AI may be capable of creating malware that threatens critical infrastructure.
But that day was not earlier this month, when reports surfaced of a new piece of malware seemingly configured to search for and sabotage Israeli water infrastructure, according to industrial cybersecurity firm Dragos.
The malware, called ZionSiphon, was first identified by AI cybersecurity firm Darktrace, which said it was designed to target operational technology and industrial control system environments. The code scans the internet for IP addresses tied to water treatment and desalination plants owned or operated in Israel, with the goal of compromising them to sabotage the levels of chlorine and poison water supplies.
Strings in the malware’s binary code included the names of different components of the Israeli water sector, as well as politically-themed messaging, such as “In support of our brothers in Iran, Palestine, and Yemen against Zionist aggression.”
But a technical lead malware analyst at Dragos, Jimmy Wyles, called the malware nothing more than “hype,” claiming it poses no threat to water plants in Israel or anywhere else.
For instance, whoever wrote the malware appears to have little knowledge of how operational technology works at Israeli water plants.
“The code is broken and shows little to no knowledge of dam desalination or ICS protocols,” wrote Wylie.
The developers also appeared to use AI to generate significant portions of the code, leading to hallucinations and errors. All the Windows-based process names and directory paths designed to confirm that a target was related to water desalination were filled with “fictional and likely LLM generated guesses.” The configuration files purportedly designed to manipulate chlorine levels were also fake and likely created using AI.
Darktrace’s analysis notes that the malware sample they tested appears to be dysfunctional, citing an incorrect configuration in the code’s country targeting functions.
But Wylie wrote that the malware still would have been harmless to water treatment plants even when correctly configured, because the rest of the code was so riddled with “logic errors and invalid assumptions” that it would have been inoperable.
Similar maturity and logic issues were found in the malware’s USB infection and self-destruction capabilities. Wylie said Dragos was withholding additional technical analysis of the flaws plaguing ZionSiphon because they’re “not in the enterprise of fixing malware for adversaries.”
The episode highlights an ongoing dispute around how much attention defenders – particularly those who work with operational technology – should give to more novel threats like AI-enabled hacking, versus more established tactics, techniques and procedures that have been successfully wielded by foreign hacking groups.
Operational technology – the systems that control or manipulate the machinery used in water facilities, electrical power plants and other industrial sectors – differs substantially from information technology environments. That presents challenges for both cybersecurity defenders and malicious hackers who often lack the industry-specific knowledge or skillset to design effective exploits.
To wit, Dragos claims there are publicly less than 10 malware samples capable of threatening industrial control systems. ZionSiphon is not one of them.
Wylie was critical of the way threat intelligence corporations and media outlets initially framed the danger posed by the malware, saying it was overblown and likely diverted water sector cybersecurity resources away from more tangible threats, like Volt Typhoon, the Chinese-backed hacking group that U.S. intelligence officials say has burrowed deep into American critical infrastructure.
“Those responsible for protecting water treatment facilities and other critical infrastructure have finite time and attention,” Wylie wrote. “Spending either on ZionSiphon means spending less on threat groups like [Volt Typhoon], which have a demonstrated history of intrusions into those environments and are a far more pressing concern.”
The post Dragos: Despite AI use, new malware targeting water plants is ‘hype’ appeared first on CyberScoop.
Leave a comment