100 days after the Iran war started Tehran-backed group breaches California Water Service but claims they 'chose not to disrupt water access'

Date:
Fri, 19 Jun 2026 00:05:00 +0000

Iranian-linked group Handala breached California Water Service, leaking 5GB
of customer data and exposing critical GPS infrastructure across seven districts -- Tehran-linked threat
group Handala has claimed it successfully breached California Water Service
and released a 5GB data dump as proof.

Cal Water is one of the largest investor-owned water utilities in the United States, serving millions of residential and commercial customers across California. Handala described the breach as direct retaliation for recent US military actions in Iran, claiming it could disrupt water access but deliberately chose not to for now. Cybersecurity firm Dataminr analyzed
the published data and identified two separate systems that Handala accessed during the breach.

The first was a customer billing database containing names, addresses, phone numbers, account numbers, and payment histories across multiple Cal Water districts.

The second was an internal RTKBase deployment an open-source GPS base
station platform used by field crews maintaining water infrastructure across California.

The RTKBase instance had been running continuously for approximately 783
hours at the time of access, with GPS correction data streaming across seven identified Cal Water districts.

Those districts included Bakersfield, Chico, Salinas, Stockton, Visalia, San Mateo, and a regional engineering segment spread across California.

The researchers believe that the GPS platform was not the end goal it was
the entry point into deeper infrastructure.

The RTKBase web interface was accessible via standard HTTP port 10000 across multiple district locations, making it straightforward for outside actors to locate and access.

It was deployed on lightweight hardware that offered minimal resistance
against unauthorized entry from the internet.

Administrative credentials for the platform appeared in the published dump in plaintext, giving anyone who downloaded it immediate access to the entire system.

Full network infrastructure details for all seven districts were equally exposed, leaving Cal Water's security team with virtually nothing intact to protect. A pattern that should concern every water utility Handala's history makes the "chose not to disrupt" framing worth treating with considerable skepticism from any serious security perspective.

The group deployed a destructive wiper against Stryker in March 2026 that disrupted manufacturing and shipping following the same data-theft-first pattern documented in this breach.

"Handala's operational pattern frequently involves an initial claim followed
by escalated action," Dataminr's report concluded.

"Security teams should treat the current disclosure as a possible precursor
to a destructive follow-on and posture accordingly."

The US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory this year warning of Iranian groups targeting US water sector technologies.

This breach is an indication that Iranian cyber threats to US water infrastructure are no longer theoretical.

Cal Water has not publicly acknowledged the breach, but affected customers
now face elevated phishing risks given that their names, addresses, phone numbers, and account details are publicly available.

Via Security Affairs

Link to news story: https://www.techradar.com/pro/security/100-days-after-the-iran-war-started-teh ran-backed-group-just-breached-california-water-service-but-claims-they-chose- not-to-disrupt-water-access

$$
--- SBBSecho 3.28-Linux
* Origin: Capitol City Online (1:2320/107)