Iranian Cyber Group Handala Claims Cal Water Hack

The Iran-linked cyber group Handala announced a breach of California Water Service (Cal Water), one of the largest U.S. water utilities, leaking 5 gigabytes of data. The group claimed retaliation for U.S. actions in Iran and stated it could disrupt water access but chose not to. Dataminr, a threat intelligence company, reported Handala likely exploited Cal Water’s RTKBase GNSS platform before moving to the billing system, targeting the Chico District. The leaked data includes personally identifiable information (PII) such as names, addresses, phone numbers, account details, and payment histories. Administrative credentials for RTKBase and NTRIP network passwords were also exposed, raising concerns about compromised systems. Dataminr noted Handala’s toolkit includes wiper malware, such as *win.handala* and *Handala Wiper*, previously used in destructive attacks like the Stryker incident. Cal Water serves roughly two million customers across 100 California communities but has not publicly confirmed the breach. Dataminr advised immediate credential rotation, offline RTKBase audits, and network segmentation reviews to prevent further damage. The firm warned Handala’s claims could precede destructive follow-up actions, citing the group’s history of escalation. Handala, linked to Iran’s Ministry of Intelligence and Security (MOIS), has operated since at least 2008 under aliases like Banished Kitten and Storm-0842. Known for hacktivism, data theft, and wiper malware deployment, the group has targeted U.S. infrastructure, including recent attacks on Los Angeles Metro. Security experts urge heightened vigilance for potential destructive operations following this disclosure.