Handala viola Cal Water: la guerra cyber Iran-USA-Israele

Handala, a group linked to Iranian intelligence, breached California Water Service (Cal Water) and leaked 5 GB of customer billing and administrative data on June 11, 2026. According to Dataminr, the attackers used a GPS correction system to enter the network, though Cal Water reports no disruption to water supplies.

How did Handala breach Cal Water?

The attackers gained administrative access through an RTKBase instance, an open-source NTRIP caster used for centimeter-level GPS corrections during network maintenance. According to Dataminr, the system was exposed on HTTP port 10000 and had been operational for approximately 783 continuous hours.

This entry point likely allowed the group to move laterally into the billing environment. The resulting 5 GB data dump contains customer billing information, personal data, and administrative credentials. The Chico district is confirmed among the compromised accounts, with leaked data including names, service addresses, phone numbers, account numbers, and payment histories.

Did You Know? The attack targeted a “water-for-water” retaliation scheme, with Handala claiming the intrusion was a response to alleged U.S. attacks on Iranian water infrastructure.

Why was a water utility targeted?

Analysts link the breach to the broader military escalation between the U.S. and Iran following an engagement on February 28, 2026. Handala is identified with high confidence as a front for the MOIS, also tracked as Void Manticore by Check Point Research, Storm-0842 by Microsoft, and Banished Kitten by CrowdStrike.

US Suspends Fable 5 & Mythos 5, Handala Hacks Cal Water, 400 Arch Linux Packages Compromised

The group focuses on life-sustaining systems to maximize psychological and social impact. Rather than seeking ransom, Handala provided screenshots of internal dashboards and billing data to the Iranian state media outlet Press TV. This identifies the operation as a “hack-and-leak” influence campaign intended to pressure Washington.

Expert Insight: Samantha Carter notes that the pivot from a technical GPS support tool to a customer billing database demonstrates a strategic choice. By hitting both operational support and citizen data, the attackers prioritize high visibility and psychological pressure over silent persistence within the network.

What are the security implications for other utilities?

While Cal Water confirmed on June 16 that an investigation is underway, authorities state there is no evidence of compromised water supplies or SCADA system interference. However, Handala possesses destructive tools, including the win.handala, Handala Wiper, and Hamsa Wiper, and previously attacked Stryker in March 2026 via Microsoft Intune.

The breach exposes vulnerabilities in overlooked support tools, such as GNSS casters often installed on lightweight hardware like Raspberry Pi with weak authentication. Dataminr recommends that utilities audit credentials, ensure RTKBase interfaces are not internet-reachable, and notify CISA and WaterISAC if indicators of compromise appear.

Cal Water now faces notification obligations under the California Civil Code, paragraph 1798.82. Experts warn that exfiltrated users may face an increased risk of spear-phishing attacks.

Frequently Asked Questions

Was the actual water supply interrupted?
No. Cal Water and authorities report no evidence of compromise to the water supply or interruptions in service.

What specific data was leaked in the dump?
The 5 GB dump includes customer billing information, personal data, and administrative credentials associated with a GPS correction network.

Who is the group Handala?
Handala is a front affiliated with the MOIS (Iranian intelligence), also known as Void Manticore, Storm-0842, and Banished Kitten.

Do you think the shift toward targeting “life-sustaining” infrastructure marks a new phase in geopolitical cyber conflicts?