The Iran-linked threat actor Handala this week boasted to have hacked California Water Service (Cal Water), and published 5 gigabytes of data allegedly stolen from the US water utility.
In a post on their blog, the hacking group said the intrusion was retaliation for recent US actions in Iran and claimed they had the ability to disrupt water access but chose not to.
While the level of access Handala had has not been confirmed, threat intelligence company Dataminr says the threat actor likely hacked into Cal Water’s RTKBase instance, a GNSS base station platform, and then moved laterally to a billing system.
Cal Water is one of the largest investor-owned water utilities in the US, with roughly two million customers across 100 communities in California.
The cybersecurity firm says that Cal Water’s Chico District has been confirmed as the victim of the attack. Data leaked by Handala shows it likely accessed a customer billing database and Cal Water’s internal RTKBase application.
“The RTKBase instance had been operational for approximately 783 continuous hours at the time of access, with GPS correction data streamed across all seven identified district mountpoints,” Dataminr notes.
“The billing system and RTKBase platform represent distinct infrastructure. The RTKBase network is assessed as a probable initial access vector or lateral pivot point that enabled the actor to reach the billing environment,” the company says.
Handala’s dump appears to be a bulk database export containing personally identifiable information (PII) such as names, addresses, phone numbers, account numbers, and payment histories.
It also includes administrative credentials for the RTKBase platform, and a mountpoint-level NTRIP source password. The threat actor also performed enumeration of IP addresses associated with Cal Water’s NTRIP network across seven districts.
“While OT/ICS disruption is not confirmed in this incident, Handala’s deployed toolkit includes custom wipers (win.handala, Handala Wiper, Hamsa Wiper) and MBR-overwriting capabilities. The group has demonstrated willingness to escalate from data theft to destructive operations within the same campaign cycle, as evidenced by the Stryker incident,” Dataminr notes.
All credentials exposed in the dump should be considered compromised and immediately rotated; the RTKBase instance should be taken offline and audited; and network segmentation and access logs to the billing system should be reviewed, the company says.
Cal Water has yet to publicly acknowledge the intrusion. SecurityWeek has emailed the company for a statement and will update this article if it responds.
Linked by the US to Iran’s Ministry of Intelligence and Security (MOIS), Handala has been active since at least 2008 and is also tracked as Handala Hack, Banished Kitten, Dune, Hanzalah Hacking Group, Homeland Justice, Red Sandstorm, Storm-0842, and Void Manticore.
The group is known for engaging in a broad range of activities, from hacktivism to destructive attacks, with a primary focus on data exfiltration, the deployment of wiper malware, and psychological operations.
“Handala’s operational pattern frequently involves an initial claim followed by escalated action. Security teams should treat the current disclosure as a possible precursor to a destructive follow-on and posture accordingly,” Dataminr notes.
Related: LA Metro Cyberattack Linked to Iranian State-Sponsored Hackers
Related: Iranian APT Targets Aviation, Software Companies With Updated Tools
Related: Iranian APT Intrusion Masquerades as Chaos Ransomware Attack
Related: Iranian Cyber Group Handala Targets US Troops in Bahrain
