Iran-linked Handala claimed it compromised the California Water Service (Cal Water), publishing a 5-gigabyte proof-of-concept data dump that Dataminr analysis identified as containing customer billing personally identifiable information (PII) and administrative credentials for an internal GPS correction network that spans at least seven Cal Water service districts.According to Dataminr, the GPS network was viewed as a “probable” initial access vector or lateral pivot point that let Handala reach Cal Water’s billing system and allegedly steal information.However, it's important to note there was no significant service disruption to the water supply in California.Dataminr first issued an alert on Handala’s claim on June 11. The research group said the seven water districts affected included ones in Bakersfield, Chico, Salinas, Stockton, Visalia and San Mateo.This incident follows Handala’s most significant operation to date, the March 2026 wiper attack on medical instrument maker Stryker.It was also in line with warnings from the federal government since April that in retaliation for U.S. airstrikes, Iran intends to target critical infrastructure in the United States, including water supplies.As part of its psychological warfare, Handala claimed that it was capable of disrupting U.S. water supplies, but opted not to go that route. Here’s an excerpt from Handala’s statement claiming it breached Cal Water:“California’s water facilities have been hacked by Handala’s cyber team. Yet we are the children of a Leader who said: 'One like me does not pledge allegiance to one like Yazid (the ultimate oppressor).' We could have easily cut off the water to American cities just as your foolish president did, but our path and our school are different from that of the Yazidis. GOV of America, this is not 2010 when you could attack with Stuxnet and suffer no consequences. Today, every assault will be met within hours by a far more devasting blow to your own infrastructure, this is your warning.”
“The claimed breach, reportedly conducted as retaliation for U.S. airstrikes on Iranian water infrastructure, exposes a dangerous gap in existing security postures,” said Culley. “Screenshots allegedly showing operational dashboards, billing records, and GPS monitoring systems suggest attackers achieved deep access to mission-critical systems. Water utilities cannot afford reactive security, they need continuous adversarial exposure validation — the ability to simulate real-world attack paths before adversaries exploit them.”
Experts say we’ve been duly warned
Security pros considered this a warning shot, but underscored that to date no operational technology (OT) systems have been impacted.“Nothing in the published evidence supports Handala's claim that it can shut off water in U.S. cities,” said Sean Malone, chief information security officer at BeyondTrust. “Dataminr assesses that the group reached a GPS correction server and a customer billing database. Neither system controls water treatment or distribution, and Dataminr states that OT or industrial control system (ICS) disruption is not confirmed in this incident.Malone said as his team noted in its early March Epic Fury threat advisory, Handala has a record of overstating its capabilities. Malone said the boast about choosing to spare the water supply reads as the psychological operation itself.The Epic Fury advisory from BeyondTrust laid out the response playbook for critical infrastructure operators: validate patching on internet-facing systems, enforce phishing-resistant MFA on privileged accounts, restrict internet exposure of administrative interfaces, and monitor for anomalous outbound transfers.“Our advisory described Iran's cyber proxy ecosystem as operating at ‘wartime tempo,’” said Malone. “More than three months in, this incident shows the tempo holding.”John Gallagher, vice president at Viakoo, underscored that Handala did not disrupt or cut off the water supply to any U.S. cities. Gallagher said the threat actor explicitly claimed on their blog that while they allegedly possessed the ability to disrupt water access, they chose not to.Gallahger pointed out that the threat intelligence indicates that the breach was contained to an internal global navigation satellite system (GNSS) platform called RTKBase and a customer billing database: actual OT or ICS disruption has not been confirmed.“This should be treated as a warning shot — and a highly dangerous one,” said Gallagher. “While Handala framed the lack of disruption as a conscious choice, their past behavior proves they are highly volatile. Intelligence reports note that Handala’s standard toolkit includes custom data wipers and Master Boot Record overwriting capabilities. The group has a documented history of rapidly escalating from data theft to full-scale destructive operations within the exact same campaign cycle. Handala used this incident to exfiltrate 5 GB of data, including customer names, addresses, and payment histories, and harvest administrative credentials, mapping out infrastructure that could be weaponized later.”Agnidipta Sarkar, chief evangelist at ColorTokens, added that Handala's operations are designed to generate fear, uncertainty, and media attention. Sarkar said if we analyze Handala's recent attacks and set political rhetoric aside, they seem to have a flair for operational disruption, data destruction, and publicly publishing the results.Sarkar said from what we know so far, Handala likely possesses the capability to compromise poorly secured water-sector environments, but Sarkar does not find any indication that they have acquired capabilities to disrupt SCADA systems, PLCs, pump controls, treatment systems, or other OT systems, even though they might have access to IT.“Considering that Iranian-affiliated actors have successfully targeted OT systems in the water sector, they could acquire this capability,” said Sarkar. “In my view, the claim should be treated as a credible warning of intent and potential capability, but not as proof that the group can currently shut off water supplies across American cities.”Adrian Culley, offensive security engineer at SafeBreach, said the Handala group’s alleged compromise of California water systems represents a critical inflection point for U.S. critical infrastructure defense. Culley noted that this isn’t a theoretical risk: it's an active, state-sponsored threat demonstrating that our water utilities remain fundamentally exposed to sophisticated adversaries.“The claimed breach, reportedly conducted as retaliation for U.S. airstrikes on Iranian water infrastructure, exposes a dangerous gap in existing security postures,” said Culley. “Screenshots allegedly showing operational dashboards, billing records, and GPS monitoring systems suggest attackers achieved deep access to mission-critical systems. Water utilities cannot afford reactive security, they need continuous adversarial exposure validation — the ability to simulate real-world attack paths before adversaries exploit them.”
