The Iranian-affiliated hacking group known as Handala has executed another cyberattack, this time targeting the California Water Service (Cal Water). This incident, which the group claims is a response to U.S. actions in Iran, raises significant concerns about the security of public infrastructure.
Cal Water, a key utility provider serving approximately two million residents across 100 communities in California, has become a focal point in this escalating cyber conflict.
The Attack on Cal Water
On June 11, 2026, Dataminr, a research and analytics firm, reported that Handala had boasted about breaching Cal Water’s systems by releasing five gigabytes of sensitive data. Experts confirmed that customer records from the utility’s Chico District were compromised; additionally, network infrastructure across seven operational areas—including Bakersfield, Chico, Salinas, Stockton, Visalia, and San Mateo—was also exposed.
The leaked data reportedly includes names, addresses, contact numbers, account details, and payment histories, all sourced from a customer billing database. Moreover, the hackers accessed an internal system known as RTKBase, utilized by field crews for GPS data related to water pipe management, allowing them to acquire passwords that facilitated entry into the billing network.
While Handala has asserted the capability to disrupt water supply operations, they have not yet acted on this claim. Security analysts note that although the group has a history of deploying destructive software in previous attacks, they have not tampered with water treatment processes in this instance.
A Pattern of Exaggeration
This latest incident is one among several attacks attributed to Handala in 2026. Observations indicate that the group frequently combines actual data breaches with inflated and unverified claims. Reports from March detailed their assertions of attacks on medical technology company Stryker and payment processing firm Verifone. While Stryker acknowledged some network disruptions, Verifone found no evidence of a breach. Handala’s claim to have erased 200,000 devices at Stryker remains unverified by investigators.
The group also compromised the personal Gmail account of FBI Director Kash Patel, releasing personal information to ridicule U.S. cyber defense capabilities. Recent claims by Handala that they disabled Israeli military radar networks have drawn skepticism, as investigations indicated a more modest breach of a local town hall’s telephone system.
In light of this attack, Cal Water has been urged to immediately update all affected passwords and to segregate its mapping systems from customer billing networks to bolster security. Security teams remain vigilant, anticipating potential follow-up attacks.
Experts’ Perspectives
Cybersecurity experts have weighed in on the ramifications of this incident. Sean Malone, Chief Information Security Officer at BeyondTrust, indicated skepticism regarding Handala’s claims of operational control. He stated, “Published evidence does not support Handala’s assertion that it can disrupt water services in U.S. cities. Dataminr’s findings suggest access to a GPS correction server and a customer billing database, neither of which controls water treatment or distribution processes.”
In a similar vein, John Gallagher, Vice President at Viakoo, noted the implications of how the hackers accessed the utility’s networks. He pointed to parallels with the Colonial Pipeline incident, where a billing server was exploited to impact operational systems. This demonstrates that vulnerabilities between operational technologies and corporate networks are being targeted. Gallagher emphasized the urgent need for organizations to review protections and implement strict zero-trust segmentation to mitigate risks associated with such threats.