Iran-linked threat actor Handala claims to have hacked California Water Service (Cal Water), and published five gigabytes of data purportedly stolen from the US water utility.
The hacking group said the intrusion was retaliation for recent U.S. actions in Iran and claimed that, although they chose not to, could have disrupted water access. While the level of access Handala had has not been confirmed, threat intelligence company Dataminr says the threat actor likely hacked into Cal Water’s RTKBase instance, a GNSS base station platform, and then moved laterally to a billing system.
Cal Water is one of the largest investor-owned water utilities in the U.S., with roughly two million customers across 100 communities in California. The firm says that Cal Water’s Chico District has been confirmed as the victim of the attack. Data leaked by Handala shows it likely accessed a customer billing database and Cal Water’s internal RTKBase application.
Handala’s dump appears to be a bulk database export containing personally identifiable information (PII) such as names, addresses, phone numbers, account numbers, and payment histories. It also includes administrative credentials for the RTKBase platform, and a mountpoint-level NTRIP source password. The threat actor also performed enumeration of IP addresses associated with Cal Water’s NTRIP network across seven districts.
Industry stakeholders offer the following thoughts:
Sean Malone, CISO, BeyondTrust
"Nothing in the published evidence supports Handala's claim that it can shut off water in U.S. cities. Dataminr assesses that the group reached a GPS correction server and a customer billing database. Neither system controls water treatment or distribution, and Dataminr states that OT or ICS disruption is not confirmed in this incident.
"As BeyondTrust noted in its Epic Fury threat advisory, Handala has a record of overstating its capabilities. The boast about choosing to spare the water supply reads as the psychological operation itself.
"BeyondTrust's Epic Fury advisory laid out the response playbook for critical infrastructure operators: validate patching on internet-facing systems, enforce phishing-resistant MFA on privileged accounts, restrict internet exposure of administrative interfaces, and monitor for anomalous outbound transfers.
"Our advisory described Iran's cyber proxy ecosystem as operating at "wartime tempo." More than three months in, this incident shows the tempo holding."
Agnidipta Sarkar, Chief Evangelist at ColorTokens
"Handala's operations are designed to generate fear, uncertainty, and media attention. If we analyze Handala's recent attacks and set political rhetoric aside, they seem to have a flair for operational disruption, data destruction, and publicly publishing the results.
"From what is known so far, it seems Handala likely possesses the capability to compromise poorly secured water-sector environments, but I do not find any indication that they have acquired capabilities to disrupt SCADA systems, PLCs, Pump controls, Treatment systems or other OT systems, even though they might have access to IT.
"However, considering that Iranian-affiliated actors have successfully targeted OT systems in the water sector, they could acquire this capability.
"In my view, the claim should be treated as a credible warning of intent and potential capability, but not as proof that the group can currently shut off water supplies across American cities. If I had to look at this from a breach readiness perspective, I would immediately conduct a Breach Readiness Impact Assessment for my OT systems to determine reachability to my control systems and enforce strict microsegmentation controls to deny lateral movement in the event of such attacks.
"The benefit of using a pervasive microsegmentation platform is that it can use the same zoning controls in the IT systems and provide a single pane of control to leadership managing Water Systems, to infuse confidence in stakeholders."
John Gallagher, Vice President at Viakoo
"Threat intelligence analysis indicates that the breach was contained to an internal global navigation satellite system (GNSS) platform called RTKBase and a customer billing database; actual operational technology (OT) or industrial control system (ICS) disruption has not been confirmed.
"This should be treated as a warning shot—and a highly dangerous one. While Handala framed the lack of disruption as a conscious choice, their past behavior proves they are highly volatile. Intelligence reports note that Handala’s standard toolkit includes custom data wipers and Master Boot Record (MBR)-overwriting capabilities.
"The group has a documented history of rapidly escalating from data theft to full-scale destructive operations within the exact same campaign cycle. Handala used this incident to exfiltrate five gigabytes of data (including customer names, addresses, and payment histories) and harvest administrative credentials, mapping out infrastructure that could be weaponized later.
"There can be parallels made to the Colonial Pipeline shutdown, where threat actors were able to leverage a billing server to impact pipeline operations. This was the reverse (going from operational systems to a billing server), which demonstrates that pivot points between the two domains are being exploited.
"Organizations should not delay in reviewing key protections, especially in eliminating pivot points between OT/IoT and corporate networks. Organizations must enforce strict, zero-trust network segmentation. IoT applications, telemetry platforms, and smart infrastructure must reside on isolated networks completely separated from business systems like billing, email, or corporate databases. An asset compromise on the operational side should never grant access to enterprise data.
"Many OT organizations lose track of applications within their environment, providing an opening. These platforms should never be directly exposed to the public internet. Access must be tightly restricted behind secure, multi-factor authenticated (MFA) VPNs or zero-trust network access (ZTNA) gateways."
Shane Barney, CISO at Keeper Security
"The technical evidence shows a GPS correction network and a customer billing system were compromised, exposing real customer data across multiple districts. Accessing multiple systems, publishing the data and making escalatory claims fits that playbook. The intent deserves serious attention regardless of where the access ended.
"The lesson for critical infrastructure owners and operators is in the lateral movement that took place. An internal system became a bridge to customer data because the network boundaries between them were not enforced. That is not a problem unique to this incident.
"Operational systems across the water sector have been connected to IT environments over time without the controls to match. Credential hygiene, network segmentation and consistent access controls are foundational. For organizations that have not yet made them a priority, this is a clear signal to start."
