Overview
- On Friday, June 12, the Iran‑linked group Handala posted a claim and released roughly 5 gigabytes of files it says came from California Water Service (Cal Water).
- Threat analysts report the likely initial entry was an exposed RTKBase GNSS/NTRIP instance used to send GPS correction data to field crews and that the actor then moved laterally into a customer billing database with the Chico district identified as affected.
- The published material appears to include personally identifiable information such as names, addresses, phone numbers and payment histories, plus administrative credentials and an NTRIP mountpoint password, which raises immediate phishing and fraud risks for customers.
- Security firms note Handala has previously used destructive tools, including custom wipers and MBR‑overwriting capabilities, and they urge rotating exposed credentials, taking exposed RTKBase instances offline for audit, and reviewing network segmentation between OT positioning systems and billing infrastructure.
- Handala framed the intrusion as retaliation for recent U.S. strikes that damaged Iranian water facilities, the group is tracked by U.S. agencies as linked to Iran’s intelligence services, and analysts say this incident follows a pattern of state‑aligned cyber actions that can escalate from data theft to operational attacks.