Iranian Cyber Group Handala Claims Cal Water Hack, Leaks 5 GB of Customer Data
Iran-linked threat actor Handala claimed to have hacked California Water Service, leaking 5 GB of data including customer PII and administrative credentials.
The Iran-linked threat actor Handala this week claimed responsibility for hacking California Water Service (Cal Water), one of the largest investor-owned water utilities in the US, and published 5 gigabytes of stolen data on their blog. The group said the intrusion was retaliation for recent US actions in Iran and claimed they had the ability to disrupt water access but chose not to. The leak includes customer personally identifiable information (PII) such as names, addresses, phone numbers, account numbers, and payment histories, as well as administrative credentials for Cal Water's RTKBase GNSS base station platform.
According to threat intelligence firm Dataminr, Handala likely gained initial access by exploiting Cal Water's RTKBase instance, a GNSS base station platform that had been operational for approximately 783 continuous hours at the time of access. The attackers then moved laterally to a billing system, which Dataminr assessed as a probable lateral pivot point. The exposed data includes a bulk database export from the billing system and internal RTKBase application data, along with a mountpoint-level NTRIP source password and IP addresses associated with Cal Water's NTRIP network across seven districts.
Cal Water serves roughly two million customers across 100 communities in California. Dataminr confirmed that the Chico District was the victim of the attack. The utility has not yet publicly acknowledged the intrusion, and SecurityWeek has reached out for comment. The breach raises significant concerns because Handala has a history of deploying wiper malware and escalating from data theft to destructive operations within the same campaign cycle.
Handala, linked by the US to Iran's Ministry of Intelligence and Security (MOIS), has been active since at least 2008 and is also tracked as Handala Hack, Banished Kitten, Dune, Hanzalah Hacking Group, Homeland Justice, Red Sandstorm, Storm-0842, and Void Manticore. The group is known for engaging in a broad range of activities, from hacktivism to destructive attacks, with a primary focus on data exfiltration, the deployment of wiper malware, and psychological operations.
Dataminr warned that Handala's operational pattern frequently involves an initial claim followed by escalated action, and that security teams should treat the current disclosure as a possible precursor to a destructive follow-on. The group's toolkit includes custom wipers (win.handala, Handala Wiper, Hamsa Wiper) and MBR-overwriting capabilities, as demonstrated in the Stryker incident. While OT/ICS disruption has not been confirmed in this incident, the threat is credible.
All credentials exposed in the dump should be considered compromised and immediately rotated. Dataminr recommends taking the RTKBase instance offline and auditing it, as well as reviewing network segmentation and access logs to the billing system. The incident underscores the growing threat to critical infrastructure from state-linked hacktivist groups that combine data theft with the potential for destructive attacks.