Handala's Claim of Cal Water Hack
Handala, an Iranian-linked threat actor, has boasted about hacking California Water Service (Cal Water), a US water utility, and published 5 gigabytes of allegedly stolen data. The hacking group claimed the intrusion was in retaliation for recent US actions in Iran and stated they had the ability to disrupt water access but chose not to.
Cal Water is one of the largest investor-owned water utilities in the US, serving roughly two million customers across 100 communities in California. The cybersecurity firm Dataminr says that Cal Water's Chico District has been confirmed as the victim of the attack.
Extent of the Attack
Data leaked by Handala shows it likely accessed a customer billing database and Cal Water's internal RTKBase application. The RTKBase instance had been operational for approximately 783 continuous hours at the time of access, with GPS correction data streamed across all seven identified district mountpoints.
The billing system and RTKBase platform represent distinct infrastructure. The RTKBase network is assessed as a probable initial access vector or lateral pivot point that enabled the actor to reach the billing environment, according to Dataminr.
Stolen Data and Potential Consequences
Handala's dump appears to be a bulk database export containing personally identifiable information (PII) such as names, addresses, phone numbers, account numbers, and payment histories. It also includes administrative credentials for the RTKBase platform, and a mountpoint-level NTRIP source password.
The threat actor also performed enumeration of IP addresses associated with Cal Water's NTRIP network across seven districts. While OT/ICS disruption is not confirmed in this incident, Handala's deployed toolkit includes custom wipers and MBR-overwriting capabilities.
The group has demonstrated willingness to escalate from data theft to destructive operations within the same campaign cycle, as evidenced by the Stryker incident. All credentials exposed in the dump should be considered compromised and immediately rotated; the RTKBase instance should be taken offline and audited; and network segmentation and access logs to the billing system should be reviewed, according to Dataminr.
Handala's Operational Pattern
Linked by the US to Iran's Ministry of Intelligence and Security (MOIS), Handala has been active since at least 2008 and is also tracked as Handala Hack, Banished Kitten, Dune, Hanzalah Hacking Group, Homeland Justice, Red Sandstorm, Storm-0842, and Void Manticore.
The group is known for engaging in a broad range of activities, from hacktivism to destructive attacks, with a primary focus on data exfiltration, the deployment of wiper malware, and psychological operations. Handala's operational pattern frequently involves an initial claim followed by escalated action.
Security teams should treat the current disclosure as a possible precursor to a destructive follow-on and posture accordingly, according to Dataminr. Cal Water has yet to publicly acknowledge the intrusion, and SecurityWeek has emailed the company for a statement.
Recommendations and Next Steps
In light of the Handala's claim, it is essential for organizations to review their security measures and ensure they are prepared for potential attacks. This includes rotating compromised credentials, auditing and taking offline affected systems, and reviewing network segmentation and access logs.
Furthermore, security teams should be aware of Handala's operational pattern and be prepared for potential escalated actions. By taking proactive measures, organizations can reduce the risk of falling victim to similar attacks and protect their customers' sensitive information.
Source: SecurityWeek