- Iranian hackers gained access to two Cal Water systems and leaked 5 GB of data
- A poorly secured GPS tool gave the attackers a direct path inside Cal Water
- Administrative credentials for seven California districts were published in plain text online
The Tehran-linked threat group Handala has claimed to have successfully breached the California Water Service and released a 5GB data dump as evidence.
Cal Water is one of the largest investor-owned water utilities in the United States, serving millions of residential and commercial customers throughout California.
Handala described the breach as direct retaliation for recent US military actions in Iran, claiming it could disrupt access to water, but deliberately chose not to – for now.
How a GPS tool became the entry point
Cybersecurity firm Dataminr analyzed the published data and identified two separate systems accessed by Handala during the breach.
The first was a customer billing database containing names, addresses, phone numbers, account numbers and payment history across multiple Cal Water districts.
The second was an in-house RTKBase implementation—an open source GPS base station platform used by field crews maintaining water infrastructure in California.
The RTKBase instance had been running continuously for approximately 783 hours at the time of access, with GPS correction data streamed across seven identified Cal Water districts.
These districts included Bakersfield, Chico, Salinas, Stockton, Visalia, San Mateo and a regional engineering segment spread across California.
The researchers believe that the GPS platform was not the end goal – it was the entrance to a deeper infrastructure.
The RTKBase web interface was accessible via standard HTTP port 10000 across multiple district locations, making it easy for external actors to locate and access.
It was implemented on lightweight hardware that offered minimal resistance to unauthorized access from the Internet.
Administrative credentials for the platform appeared in the published plaintext dump, giving anyone who downloaded it instant access to the entire system.
Full network infrastructure details for all seven districts were equally exposed, leaving Cal Water’s security team with virtually nothing intact to protect.
A pattern that should concern every waterworks
Handala’s history makes the “chosen not to disturb” framing worth treating with considerable skepticism from a serious security perspective.
The group deployed a destructive wiper against Stryker in March 2026 that disrupted production and shipping — following the same data-theft-first pattern documented in this breach.
“Handala’s operational pattern often involves an initial demand followed by escalated action,” Dataminr’s report concluded.
“Security teams should treat the current disclosure as a possible precursor to a destructive follow-up and position accordingly.”
The US Cyber Security and Infrastructure Security Agency (CISA) issued a warning this year about Iranian groups targeting US water sector technologies.
This breach is an indication that Iranian cyber threats to US water infrastructure are no longer theoretical.
Cal Water has not publicly acknowledged the breach, but affected customers now face heightened phishing risks as their names, addresses, phone numbers and account information are publicly available.
Via Security Affairs
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
