Dataminr disclosed that an Iran-linked threat group known as Handala has claimed responsibility for breaching systems belonging to California Water Service (Cal Water), one of the largest water utilities in the U.S., serving approximately two million customers across California. The group released a 5 GB proof-of-concept data dump that allegedly contains customer billing information, personally identifiable information (PII), and administrative credentials associated with an internal GPS correction network spanning multiple service districts. The intelligence firm assessed that the GPS network may have served as an initial access point or lateral movement pathway into the utility’s billing environment.
While the threat actors claimed they could disrupt water services, there has been no evidence of operational impacts to water treatment or distribution systems. The incident nevertheless underscores growing concerns over cyber threats targeting critical water infrastructure, a sector increasingly viewed as vulnerable due to limited cybersecurity resources and the convergence of IT and OT (operational technology) environments.
Handala, which security researchers have linked to Iranian intelligence interests, has previously been associated with disruptive and destructive cyber operations, raising concerns that even breaches initially focused on data theft could provide footholds for future attacks against critical services.
“Analysis of the published materials identifies Cal Water’s Chico District as a confirmed affected account, with transaction and account records indicating access to the customer billing database,” Jeanette Miller-Osborn, field cyber intelligence officer; Tim Miller, global field CTO and chief cybersecurity strategist; and Joseph Slowik, director for threat research and cyber engineering, wrote in a recent Dataminr Cyber Intel Brief. “A separate set of screenshots documents administrative access to Cal Water’s internal RTKBase deployment — an open-source NTRIP caster used by field crews to receive centimeter-accurate GPS corrections when mapping and maintaining water infrastructure across service territories. The RTKBase instance had been operational for approximately 783 continuous hours at time of access, with GPS correction data streamed across all seven identified district mountpoints.”
They added that the billing system and RTKBase platform represent distinct infrastructure. The RTKBase network is assessed as a probable initial access vector or lateral pivot point that enabled the actor to reach the billing environment.
Handala is assessed with high confidence as a MOIS-affiliated front operating within the Banished Kitten cyber ecosystem, also tracked as Void Manticore and Storm-0842 by Microsoft and Check Point Research, respectively. The group has been operationally active since December 2023, with a significant escalation in U.S.-targeted activity following the onset of U.S.-Iran military engagement in February 2026.
“Water infrastructure targeting is consistent with Handala’s stated doctrine of attacking ‘life-sustaining’ systems for maximum psychological and societal impact,” according to the researchers. “The dual-system breach pattern — accessing both an operational support network and a customer-facing database — reflects the group’s preference for high-visibility, multi-domain impact over quiet persistence.”
Analysts should note that Handala has no confirmed history of tampering with water treatment processes or chemical dosing systems in any previous operation. However, the impact to date has been data exfiltration, wiper deployment, and psychological operations.
The post observed that the published data dump confirms access to customer billing information, including names, service addresses, phone numbers, account numbers, and payment histories. Although the total number of affected records across all districts has not been independently verified, the 5 GB proof-of-concept dataset is consistent with a bulk database export.
The compromise appears to involve RTKBase, a lightweight open-source GNSS base station application commonly deployed on low-overhead hardware such as Raspberry Pi devices. The platform’s web-based administrative interface is often exposed on internal networks without hardened authentication controls. In Cal Water’s case, the deployment reportedly used the standard HTTP port 10000 across district mountpoints.
The adversaries published administrative credentials for the RTKBase platform, along with a mountpoint-level NTRIP source password, in plaintext within the proof-of-concept data. These credentials should be considered fully compromised and immediately rotated on any systems where they may have been reused.
In addition, the proof-of-concept data fully enumerates the IP address range supporting Cal Water’s NTRIP network across seven district deployments. As a result, this infrastructure should be treated as known to the adversary and potentially to any third parties that have accessed the leaked data.
While there is no confirmed evidence of operational technology or industrial control system disruption in this incident, Handala possesses a toolkit that includes custom wiping malware such as win[dot]handala, Handala Wiper, and Hamsa Wiper, as well as master boot record-overwriting capabilities. The group has previously demonstrated a willingness to escalate from data theft to destructive cyber operations within the same campaign, as seen in the Stryker incident.
Dataminr urged organizations to treat all credentials contained in the published proof-of-concept data as compromised and to rotate them immediately. This includes the RTKBase administrative account, all NTRIP mountpoint source passwords, and any other systems where the same credentials may have been reused. Organizations should avoid limiting remediation to only the exposed accounts and instead conduct a comprehensive credential audit.
Utilities operating RTKBase or similar NTRIP caster software should verify that administrative interfaces are not exposed to the internet and are protected by network-level controls in addition to application-layer authentication. If internet exposure is identified, affected systems should be taken offline pending a full investigation.
The apparent pivot from RTKBase into the billing environment highlights potential weaknesses in network segmentation between operational support systems and customer data environments. Utilities should review firewall policies and network architecture to ensure that GPS, surveying, and positioning infrastructure cannot directly access billing platforms or customer information systems without explicitly authorized pathways.
Organizations should also review authentication and access logs on customer billing systems for the period corresponding to the RTKBase deployment, estimated at roughly 33 days based on available uptime information. Investigators should look for signs of anomalous logins, unusual API activity, or bulk data export operations.
Although there is no evidence that SCADA systems or treatment processes were disrupted, utilities should verify the effectiveness of existing isolation measures between IT and OT environments. Given Handala’s history of escalating from data theft to destructive cyber activity, organizations should treat current situation as a period of heightened risk.
Cal Water should evaluate its notification obligations under California Civil Code § 1798.82 in light of the confirmed exposure of customer personally identifiable information. Affected customers may face an increased risk of spear-phishing and social engineering attacks leveraging stolen account and contact information.
Dataminr called upon utilities that identify indicators of unauthorized access to promptly notify the Cybersecurity and Infrastructure Security Agency (CISA) and WaterISAC. CISA’s recent warnings regarding Iranian cyber activity targeting water-sector technologies underscore the broader significance of incidents involving critical infrastructure operators.
Security teams should continue monitoring for follow-on activity, as Handala has previously followed public breach claims with additional or more destructive operations. The current disclosure should therefore be treated as a data breach event, as well as a potential precursor to further malicious actions.
