Handala, the Iran-linked threat group attributed to Iran’s Ministry of Intelligence and Security (MOIS), claimed on June 15 to have breached California Water Service (Cal Water), one of the largest investor-owned water utilities in the United States. The group published what it claims is 5GB of data from Cal Water’s Chico District, including customer personal records, administrative credentials for a GPS correction platform, and network enumeration data spanning seven Cal Water districts. Cal Water has confirmed it is investigating the claims. No disruption to water service or operational technology systems has been observed.
What Was Taken
According to threat intelligence analysis by Dataminr, the exfiltrated data includes customer names, service addresses, phone numbers, account numbers, and payment histories. More operationally significant is the inclusion of administrative credentials for Cal Water’s RTKBase instance, a GNSS (Global Navigation Satellite System) correction platform used in field operations. Network enumeration data covering seven of Cal Water’s districts was also published, indicating the group conducted broader reconnaissance beyond the initial access point.
The likely attack chain: Handala gained entry through Cal Water’s internet-facing RTKBase instance before moving laterally to a billing database. RTKBase is open-source GNSS base station software that serves as a correction reference for field surveying and utility operations. If credentials remain active, the exposure extends beyond the data already published.
Context: Who Is Handala
Handala has operated since at least 2008 and is assessed with high confidence to be operating under MOIS direction. The group’s operations span data theft, hack-and-leak campaigns, wiper malware deployment, and psychological operations designed to amplify reputational damage beyond the intrinsic impact of the stolen data.
This is not a group that stops at exfiltration. Dataminr’s assessment notes Handala “has demonstrated willingness to escalate from data theft to destructive operations.” Previous campaigns have targeted Israeli infrastructure and US-linked entities. The group stated its stated motivation here is retaliation for US actions against Iranian water infrastructure, a framing consistent with its prior messaging patterns.
The US water sector has been a persistent target. CISA issued a joint advisory in late 2023 warning of Iranian cyber actors targeting water and wastewater systems; the Aliquippa municipal water authority attack that year, attributed to a related Iranian group (IRGC-affiliated CyberAv3ngers), involved direct tampering with programmable logic controllers. Handala’s current operation remains at the IT and data theft tier, but the sector history underscores that escalation is within scope.
What This Means for Water and Critical Infrastructure Operators
The immediate risk for Cal Water is credential exposure. If the RTKBase administrative credentials published by Handala remain active, the actor retains a confirmed access path. The billing database exposure creates downstream risk: social engineering using real account data, customer notification obligations, and regulatory scrutiny.
For the water sector broadly, this incident reinforces two structural gaps. First, internet-facing operational support systems (GNSS correction platforms, SCADA web interfaces, historian systems) continue to provide initial access vectors to actors with limited sophistication. Second, network segmentation between IT billing systems and OT environments is often assumed rather than verified; lateral movement from an RTKBase instance to a billing database in this incident should prompt operators to map equivalent adjacencies in their own environments.
The psychological operations dimension also matters. Handala claimed, in published statements, the ability to shut off water service. Cal Water has not confirmed any OT access, and independent analysis does not support that claim. But the assertion is designed to erode public confidence in utility security, and that effect does not require the claim to be true.
Recommended Actions
Immediate: Rotate all credentials associated with Cal Water RTKBase instances and any systems that shared authentication. Verify RTKBase internet exposure and consider taking the instance offline pending review.
Short-term: Audit network segmentation between GNSS/field operations platforms and billing or IT systems. Confirm no persistent access mechanisms remain in enumerated segments. Notify affected customers per applicable California data breach notification law (breach notification required within 72 hours for personal data).
Sector-wide: Water and wastewater operators should review internet-facing operational support systems inventory. CISA’s Water Sector Cybersecurity Performance Goals remain the baseline reference. Consider threat intelligence sharing via WaterISAC for additional Handala indicators.