Iran-Linked Handala Breached a California Water Utility. It Could Have Done Worse, and It Knows That.
Publish Date: 2026-06-12 18:28:00
Source Domain: securityaffairs.com
Iran-Linked Handala Breached a California Water Utility. It Could Have Done Worse, and It Knows That.
Pierluigi Paganini
June 12, 2026
Pro-Iran group Handala breached Cal Water via an exposed GPS tool, reaching billing data for 2M customers. 5GB leaked.
On June 11, 2026, the Iran-linked threat group Handala posted a claim on its blog that it had compromised California Water Service, known as Cal Water, and published a 5GB proof-of-concept data dump to back it up.
California Water Service is one of the largest investor-owned water utilities in the United States. It is a subsidiary of California Water Service Group and provides drinking water and wastewater services to residential, commercial, and industrial customers. The company serves hundreds of thousands of customer connections across numerous communities in California, as well as smaller operations in other states through affiliated utilities.
The group said the intrusion was retaliation for recent US actions in Iran, and claimed it had the ability to disrupt water access but chose not to. For now.
Cybersecurity firm Dataminr’s analysis of the published dump identified two separate systems that Handala reached. The first is a customer billing database containing names, service addresses, phone numbers, account numbers, and payment histories across multiple Cal Water districts. The second is an internal RTKBase deployment, an open-source GNSS base station platform used by field crews to receive centimeter-accurate GPS corrections when mapping and maintaining water infrastructure.
“Dataminr analysis of the published PoC indicates Handala accessed two separate Cal Water systems: a customer billing database containing PII for accounts across multiple districts, and an internal RTKBase NTRIP caster network used for precision GPS operations across field crews.” reads the Dataminr’s report. “The RTKBase instance had been…
