- Iranian hackers accessed two Cal Water systems and leaked 5GB of data
- Poorly Secured GPS Tool Gave Attackers a Direct Path Inside Cal Water
- Administrative credentials for seven California districts released in plain text online
The Handala threat group, linked to Tehran, claimed to have successfully hacked the California Water Service and released a 5GB data copy as proof.
Cal Water is one of the largest investor-owned water utilities in the United States, serving millions of residential and commercial customers throughout California.
Handala described the violation as direct retaliation for recent U.S. military actions in Iran, saying it could disrupt access to water, but deliberately chose not to do so — for now.
How a GPS tool became the entry point
Cybersecurity firm Dataminr analyzed the published data and identified two separate systems that Handala accessed during the breach.
The first was a customer billing database containing names, addresses, telephone numbers, account numbers and payment histories across several Cal Water districts.
The second was an internal deployment of RTKBase – an open source GPS base station platform used by field crews maintaining water infrastructure across California.
The RTKBase instance had been running continuously for approximately 783 hours at the time of access, with GPS correction data broadcast to seven identified Cal Water districts.
These districts included Bakersfield, Chico, Salinas, Stockton, Visalia, San Mateo, and a regional engineering segment spread throughout California.
Researchers believe the GPS platform was not the end goal, but rather the entry point to deeper infrastructure.
RTKBase’s web interface was accessible via standard HTTP port 10000 in several districts, making it easy for outside actors to locate and access.
It was deployed on lightweight hardware providing minimal resistance against unauthorized input from the Internet.
The platform’s administrative credentials appeared in the dump released in plain text, giving anyone who downloaded it immediate access to the entire system.
The complete details of the network infrastructure for all seven districts were also exposed, leaving Cal Water’s security team with virtually nothing intact to protect.
A model that should concern all water services
Handala’s story makes the “choice not to disrupt” worth treating with considerable skepticism from the point of view of any serious security perspective.
The group deployed a destructive wiper against Stryker in March 2026, which disrupted manufacturing and shipping, following the same data-theft-first pattern documented in this breach.
“Handala’s operating model frequently involves an initial complaint followed by escalating action,” the Dataminr report concludes.
“Security teams should view the current disclosure as a possible precursor to a destructive sequel and act accordingly.”
The US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory this year warning of Iranian groups targeting US water sector technologies.
This breach indicates that Iranian cyber threats to US water infrastructure are no longer theoretical.
Cal Water has not publicly acknowledged the breach, but affected customers now face elevated phishing risks as their names, addresses, phone numbers and account details are publicly available.
Via Security Affairs
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
