Iran-Linked Hacking Group Handala Claims Breach of California Water Service, Leaks 5GB of Data
The Iran-affiliated threat actor Handala has claimed responsibility for a cyberattack on California Water Service (Cal Water), one of the largest investor-owned water utilities in the U.S., serving roughly two million customers across 100 communities in California. The group published 5GB of stolen data, alleging retaliation for recent U.S. actions in Iran and asserting it had the capability to disrupt water access but opted against doing so.
According to Dataminr, the attack likely began with the compromise of Cal Water’s RTKBase instance, a GNSS base station platform, which served as an initial access vector or lateral pivot point to the utility’s billing system. The Chico District was confirmed as the target, with leaked data including a customer billing database and internal RTKBase application details. The RTKBase instance had been operational for 783 continuous hours at the time of access, with GPS correction data streamed across seven district mountpoints.
The exposed data contains personally identifiable information (PII), such as names, addresses, phone numbers, account numbers, and payment histories, along with administrative credentials for the RTKBase platform and NTRIP source passwords. While no operational technology (OT) or industrial control system (ICS) disruption has been confirmed, Handala’s toolkit includes custom wipers (win.handala, Handala Wiper, Hamsa Wiper) and MBR-overwriting capabilities, indicating potential for destructive follow-on attacks.
Handala, linked by the U.S. to Iran’s Ministry of Intelligence and Security (MOIS), has been active since at least 2008 and is also tracked under aliases including Banished Kitten, Void Manticore, and Red Sandstorm. The group is known for data exfiltration, wiper malware deployment, and psychological operations, often escalating from theft to destructive attacks within the same campaign. Previous incidents include the Stryker attack and a recent cyberattack on LA Metro.
Cal Water has not publicly acknowledged the breach, and security experts recommend treating the incident as a potential precursor to further destructive activity. All exposed credentials should be considered compromised, and affected systems require immediate auditing and remediation.
Source: https://www.securityweek.com/iranian-cyber-group-handala-claims-cal-water-hack/
California Water Service Group cybersecurity rating report: https://www.rankiteo.com/company/calwatergroup
"id": "CAL1781303207",
"linkid": "calwatergroup",
"type": "Breach",
"date": "6/2026",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': '2 million',
'industry': 'Water Utility',
'location': 'California, USA',
'name': 'California Water Service (Cal Water)',
'size': 'Serves roughly 2 million customers across 100 '
'communities',
'type': 'Investor-owned water utility'}],
'attack_vector': 'Compromise of RTKBase instance (GNSS base station platform)',
'data_breach': {'data_exfiltration': 'Yes (5GB of data published)',
'personally_identifiable_information': 'Names, addresses, '
'phone numbers, '
'account numbers, '
'payment histories',
'sensitivity_of_data': 'High (PII, financial data, '
'credentials)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Administrative credentials',
'Payment histories',
'NTRIP source passwords']},
'description': 'The Iran-affiliated threat actor Handala has claimed '
'responsibility for a cyberattack on California Water Service '
'(Cal Water), one of the largest investor-owned water '
'utilities in the U.S. The group published 5GB of stolen data, '
'alleging retaliation for recent U.S. actions in Iran and '
'asserting it had the capability to disrupt water access but '
'opted against doing so. The attack likely began with the '
'compromise of Cal Water’s RTKBase instance, a GNSS base '
'station platform, which served as an initial access vector or '
'lateral pivot point to the utility’s billing system. The '
'exposed data contains personally identifiable information '
'(PII), administrative credentials, and payment histories.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'data breach',
'data_compromised': '5GB of data including customer billing '
'database, PII, administrative credentials, '
'NTRIP source passwords',
'identity_theft_risk': 'High (PII exposed)',
'legal_liabilities': 'Potential legal liabilities due to PII '
'exposure',
'operational_impact': 'Potential disruption capability (not '
'executed)',
'payment_information_risk': 'High (payment histories exposed)',
'systems_affected': 'RTKBase instance, billing system'},
'initial_access_broker': {'entry_point': 'RTKBase instance',
'high_value_targets': 'Billing system'},
'motivation': 'Retaliation for recent U.S. actions in Iran, Psychological '
'Operations, Data Exfiltration',
'post_incident_analysis': {'corrective_actions': 'Immediate auditing and '
'remediation of affected '
'systems, credential '
'rotation, enhanced '
'monitoring',
'root_causes': 'Compromise of RTKBase instance '
'(potential misconfiguration or '
'vulnerability)'},
'ransomware': {'data_exfiltration': 'Yes'},
'recommendations': 'Treat the incident as a potential precursor to further '
'destructive activity. Exposed credentials should be '
'considered compromised, and affected systems require '
'immediate auditing and remediation.',
'references': [{'source': 'Dataminr'}],
'response': {'communication_strategy': 'No public acknowledgment from Cal '
'Water',
'enhanced_monitoring': 'Recommended for affected systems'},
'threat_actor': 'Handala (Banished Kitten, Void Manticore, Red Sandstorm)',
'title': 'Iran-Linked Hacking Group Handala Claims Breach of California Water '
'Service, Leaks 5GB of Data',
'type': 'Data Breach, Cyber Espionage, Potential Destructive Attack'}