Iran linked cyber group Handala has claimed responsibility for a cyberattack targeting California Water Service, commonly known as Cal Water, and published approximately 5GB of data allegedly stolen from the US based water utility. The hacking group stated on its blog that the breach was carried out in retaliation for recent United States actions in Iran and claimed it had the capability to disrupt water access systems but deliberately chose not to do so. Although the exact scope of the intrusion has not yet been officially confirmed, cybersecurity experts have raised concerns about the potential exposure of sensitive customer and infrastructure related systems following the publication of the leaked data.
Threat intelligence company Dataminr reported that the attackers likely gained access through Cal Water’s RTKBase instance, which functions as a GNSS base station platform, before potentially moving laterally into a billing environment. Cal Water is among the largest investor owned water utilities in the United States, serving nearly two million customers across approximately 100 communities in California. According to Dataminr’s assessment, the Chico District of Cal Water has been confirmed as affected by the incident. Information shared by Handala reportedly indicates unauthorized access to a customer billing database as well as Cal Water’s internal RTKBase application. Dataminr further noted that the RTKBase platform had reportedly been active for nearly 783 continuous hours at the time of the suspected access, with GPS correction data streaming across seven identified district mountpoints. The cybersecurity firm assessed that the RTKBase network and billing infrastructure operate separately, suggesting the RTKBase environment may have served as an initial access point or lateral movement pathway that enabled attackers to reach customer billing systems.
The leaked information allegedly includes a bulk database export containing personally identifiable information, including customer names, residential addresses, phone numbers, account details, and payment histories. Reports also suggest that administrative credentials connected to the RTKBase platform, alongside a mountpoint level NTRIP source password, were exposed in the published data. Additionally, Handala is believed to have conducted enumeration activities involving IP addresses associated with Cal Water’s NTRIP network across seven districts. While there is no confirmed evidence of operational technology or industrial control system disruption in the incident, Dataminr cautioned that Handala possesses tools capable of destructive cyber activity, including custom wiping malware such as Win.Handala, Handala Wiper, and Hamsa Wiper, along with capabilities to overwrite master boot records. The company noted that the group has previously escalated incidents from data theft to destructive activity within the same campaign cycle, citing previous cases as examples of that behavior.
Dataminr advised organizations involved to immediately rotate all exposed credentials, temporarily take affected RTKBase systems offline for security auditing, and review network segmentation as well as access logs related to billing infrastructure. Cal Water has not publicly acknowledged the reported breach at the time of writing, although media reports indicate the company has been contacted for comment. Linked by United States authorities to Iran’s Ministry of Intelligence and Security, Handala has reportedly been active since at least 2008 and is known under multiple aliases, including Banished Kitten, Dune, Homeland Justice, Red Sandstorm, Storm 0842, and Void Manticore. The group has been associated with activities ranging from hacktivism to destructive cyber operations, often focusing on data theft, malware deployment, and psychological campaigns. Dataminr warned that Handala’s operational approach frequently involves initial public claims followed by additional activity, prompting security teams to remain alert and strengthen monitoring measures.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
