Iran-Linked Handala Hackers Claim Breach of California Water Utility

A named breach at the nation's largest western water utility

California Water Service (Cal Water), one of the largest investor-owned water utilities in the United States with roughly two million customers across California, confirmed on June 15, 2026, that it is investigating claims by the Iran-linked hacker group Handala of a cyberattack on its systems.cybersecuritydive The group posted screenshots of what it said were customer billing records, internal administrative credentials, and GPS correction data, and published a 5-gigabyte proof-of-concept data dump.rescana Handala framed the intrusion as retaliation for recent U.S. military operations in Sirik, Iran, and stated via Iran's state broadcaster that it could disrupt water services but had refrained as a "warning" to Washington.securityweek +1

How investigators say the attackers got in

Threat intelligence firm Dataminr assessed that Handala likely gained initial access through Cal Water's internal RTKBase deployment — an open-source GPS correction platform used by field crews to achieve centimeter-accurate positioning when maintaining water infrastructure.rescana +1 The RTKBase instance had been running for approximately 783 continuous hours at the time of access, with GPS data streamed across all seven identified district mountpoints.rescana Researchers believe the attackers then pivoted laterally from that GPS system into the customer billing environment, a finding that Check Point Research said would indicate hackers reached information technology systems rather than the operational technology systems that control water distribution.cybersecuritydive The data dump appears to contain names, service addresses, phone numbers, account numbers, and payment histories for customers, along with plaintext administrative credentials for the RTKBase platform.rescana +1

Cal Water disputes a billing breach; federal probes under way

Cal Water spokesperson Yvonne Kingman said on June 16 that preliminary findings show no known operational disruptions to water and wastewater systems, including the billing platform.securityweek The company said it is working around the clock with forensic investigators and in close collaboration with state and federal law enforcement.cybersecuritydive Security analysts cautioned that all credentials contained in the leaked data should be treated as fully compromised and immediately rotated, and that the RTKBase instances should be taken offline pending a full audit.industrialcyber

A pattern of escalation raises concern beyond this incident

The Cal Water claim fits a documented escalation by Handala since U.S.-Iran military engagement intensified in early 2026. The group — also tracked by Microsoft as Storm-0842 and by Check Point as Void Manticore — is linked by U.S. officials to Iran's Ministry of Intelligence and Security and has been operationally active since at least December 2023.industrialcyber It claimed responsibility for the March 2026 cyberattack on medical device maker Stryker, and federal prosecutors have seized domains Handala used to publicize attacks.cybersecuritydive CISA and the FBI issued a joint advisory in April 2026 warning of Iranian-linked hackers escalating attacks against U.S. water and energy infrastructure.techcrunch Dataminr analysts noted that Handala's toolkit includes custom wiper malware and master boot record-overwriting capabilities, and that the group has a documented pattern of escalating from data theft to destructive operations within a single campaign cycle.rescana