An Iranian-affiliated cyber group, known as Handala, has recently claimed responsibility for breaching the security of California Water Service (Cal Water). The group reportedly released 5 gigabytes of data allegedly obtained from the US water utility, in what they describe as a response to the US’s recent activities in Iran.
Details of the Cyber Intrusion
The hacking group publicized their actions on their blog, stating that while they had the potential to disrupt water services, they opted against it. Intelligence firm Dataminr suggests that Handala may have infiltrated Cal Water’s RTKBase, a GNSS base station platform, potentially using it as a springboard to access the billing system.
Cal Water ranks among the most significant investor-owned water utilities in the nation, serving approximately two million individuals across 100 California communities. Dataminr has confirmed that the Chico District of Cal Water was specifically targeted in this attack, with leaked data indicating access to customer billing information and the internal RTKBase application.
Implications of the Data Breach
The breach resulted in the exposure of personally identifiable information (PII), including names, addresses, phone numbers, account numbers, and payment histories. Additionally, administrative credentials for the RTKBase platform and NTRIP source passwords were compromised. The hackers also enumerated IP addresses connected to Cal Water’s NTRIP network across seven districts.
Although no operational technology (OT) or industrial control system (ICS) disruption has been confirmed, Dataminr warns that Handala’s toolkit includes custom wipers and MBR-overwriting capabilities. This indicates a potential for destructive actions, similar to previous incidents involving the group.
Recommended Security Measures
In response to the breach, it is critical to treat all exposed credentials as compromised and rotate them immediately. The RTKBase instance should be taken offline and thoroughly audited, while network segmentation and billing system access logs must be reviewed.
Cal Water has not yet made a public statement regarding the breach. SecurityWeek has reached out for a comment and will update with any responses.
Background on Handala
Handala has been active since at least 2008 and is associated with Iran’s Ministry of Intelligence and Security (MOIS). The group, also known by names such as Banished Kitten and Red Sandstorm, engages in activities ranging from hacktivism to data exfiltration and destructive attacks.
Dataminr suggests that Handala’s operational pattern typically involves initial claims followed by escalated actions. Security teams should consider the potential for further destructive activities and adjust their postures accordingly.
