- Iranian hackers accessed two Cal Water systems and leaked 5 GB of data
- Poorly secured GPS tool gave attackers a direct path into Cal Water
- Administrative credentials for seven California districts posted in plain text online
The Tehran-linked Handala threat group claimed to have successfully breached the California Water Service and released a 5GB data dump as proof.
Cal Water is one of the largest investor-owned water utilities in the United States, serving millions of residential and commercial customers throughout California.
Handala described the breach as direct retaliation for recent US military actions in Iran, stating that it could disrupt access to water, but deliberately decided not to do so, for now.
How a GPS tool became the entry point
Cybersecurity company Dataminr analyzed the published data and identified two separate systems that Handala accessed during the breach.
The first was a customer billing database containing names, addresses, telephone numbers, account numbers, and payment histories in various Cal Water districts.
The second was an internal deployment of RTKBase: an open source GPS base station platform used by field teams maintaining water infrastructure throughout California.
The RTKBase instance had been running continuously for approximately 783 hours at the time of access, with GPS correction data streaming across seven identified Cal Water districts.
Those districts included Bakersfield, Chico, Salinas, Stockton, Visalia, San Mateo and a regional engineering segment spread across California.
The researchers believe that the GPS platform was not the end goal, but rather the entry point to deeper infrastructure.
The RTKBase web interface could be accessed via standard HTTP port 10000 at multiple locations in the district, making it easy for external actors to locate and access.
It was implemented on lightweight hardware that offered minimal resistance against unauthorized entry from the Internet.
The platform’s administrative credentials appeared in the published dump in plain text, giving anyone who downloaded it immediate access to the entire system.
The full details of the seven districts’ network infrastructure were similarly exposed, leaving Cal Water’s security team with virtually nothing intact to protect.
A pattern that should worry all water companies
Handala’s story makes it worth treating the “choose not to disrupt” framework with considerable skepticism from any serious security perspective.
The group deployed a destructive wiper against Stryker in March 2026 that disrupted manufacturing and shipping, following the same pattern of data theft first documented in this breach.
“Handala’s operational pattern frequently involves an initial complaint followed by escalated action,” the Dataminr report concluded.
“Security teams should treat the current revelation as a possible precursor to a destructive continuation and adopt a posture accordingly.”
The US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory this year warning about Iranian groups targeting US water sector technologies.
This breach is an indication that Iranian cyber threats to American water infrastructure are no longer theoretical.
Cal Water has not publicly acknowledged the breach, but affected customers now face elevated phishing risks as their names, addresses, phone numbers and account details are publicly available.
Via Security Matters
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
