The Iran-linked hacking group Handala has struck again, this time targeting the California Water Service (Cal Water). The group, which security researchers have been tracking closely throughout 2026, claims this move is retaliation for US actions in Iran.
Cal Water is a major utility serving two million people across 100 communities in California, making this a worrying event for public infrastructure.
The Attack on Cal Water
On 11 June 2026, the research firm Dataminr spotted the group boasting about a breach, publishing five gigabytes of data. While experts confirmed that the customer records from the utility’s Chico District were definitely hit, the leaked files also exposed network infrastructure across seven distinct operational areas, which include Bakersfield, Chico, Salinas, Stockton, Visalia, San Mateo, and a regional engineering segment.
Reportedly, leaked data comprises names, home addresses, phone numbers, account numbers, and payment history accessed from a customer billing database.
The hackers also gained access to an internal system called RTKBase. This is a basic tool used by field crews to get precise GPS data for mapping and fixing water pipes. By stealing passwords from this system, the hackers managed to move over into the billing network.
While Handala claimed in their posts that they had the power to shut off water supplies, they haven’t done so. Security teams note that while Handala has a history of using destructive software to wipe computer systems in other campaigns, they haven’t yet tampered with water treatment processes.
A Pattern of Exaggeration
This incident follows several other attacks linked to Handala in 2026, and as observed lately, this group often mixes genuine data theft acts with exaggerated and unverified claims. As Hackread.com reported in March, they claimed to have hit the medical technology firm Stryker and the payment company Verifone.
While Stryker admitted to some network trouble, Verifone found no signs of a breach. Handala claimed to have wiped 200,000 devices at Stryker, but investigators haven’t verified these figures.
The group also hacked the personal Gmail account of FBI Director Kash Patel in March, releasing his resume and travel photos to mock US cyber defence. Earlier this month, they claimed to have shut down Israeli military radar networks. However, SOCRadar’s investigation revealed the hackers had only accessed a local town hall’s telephone routing system.
Following the incident, Cal Water has been advised to change all exposed passwords immediately and separate its mapping systems from customer billing networks to prevent future issues. Security teams also remain on alert for further activity.
Experts’ Perspectives
Industry experts shared their comments with Hackread.com regarding the incident. Sean Malone, Chief Information Security Officer at BeyondTrust, highlighted that the group’s claims of operational control are highly suspect:
“Nothing in the published evidence supports Handala’s claim that it can shut off water in U.S. cities. Dataminr assesses that the group reached a GPS correction server and a customer billing database. Neither system controls water treatment or distribution, and Dataminr states that OT or ICS disruption is not confirmed in this incident.
“As BeyondTrust noted in its Epic Fury threat advisory, Handala has a record of overstating its capabilities. The boast about choosing to spare the water supply reads as the psychological operation itself,” Sean argued.
John Gallagher, Vice President at Viakoo, provided context on how the hackers managed to access the utility’s business and physical networks, warning that this tactic is an escalating problem for critical infrastructure:
“There can be parallels made to the Colonial Pipeline shutdown, where threat actors were able to leverage a billing server to impact pipeline operations. This was the reverse (going from operational systems to a billing server), which demonstrates that pivot points between the two domains are being exploited,” John explained.
“Organizations should not delay in reviewing key protections, especially in eliminating pivot points between OT/IoT and corporate networks, and must enforce strict, zero-trust network segmentation. IoT applications, telemetry platforms, and smart infrastructure must reside on isolated networks completely separated from business systems like billing, email, or corporate databases. An asset compromise on the operational side should never grant access to enterprise data,” he warned.
