Iranian-linked hacking group Handala has claimed to have compromised California Water Service (Cal Water), asserting it has the ability to disrupt water supply flow in certain United States cities. However, experts are calling the claim into question. 

Security Leaders Weigh In

Sean Malone, Chief Information Security Officer at BeyondTrust:

Nothing in the published evidence supports Handala’s claim that it can shut off water in U.S. cities. Dataminr assesses that the group reached a GPS correction server and a customer billing database. Neither system controls water treatment or distribution, and Dataminr states that OT or ICS disruption is not confirmed in this incident.

As BeyondTrust noted in its Epic Fury threat advisory, Handala has a record of overstating its capabilities. The boast about choosing to spare the water supply reads as the psychological operation itself. The advisory laid out the response playbook for critical infrastructure operators: validate patching on internet-facing systems, enforce phishing-resistant MFA on privileged accounts, restrict internet exposure of administrative interfaces, and monitor for anomalous outbound transfers. Our advisory described Iran’s cyber proxy ecosystem as operating at “wartime tempo.” More than three months in, this incident shows the tempo holding.

Agnidipta Sarkar, Chief Evangelist at ColorTokens:

Handala’s operations are designed to generate fear, uncertainty, and media attention. If we analyze Handala’s recent attacks and set political rhetoric aside, they seem to have a flair for operational disruption, data destruction, and publicly publishing the results. From what is known so far, it seems Handala likely possesses the capability to compromise poorly secured water-sector environments, but I do not find any indication that they have acquired capabilities to disrupt SCADA systems, PLCs, pump controls, treatment systems or other OT systems, even though they might have access to IT. However, considering that Iranian-affiliated actors have successfully targeted OT systems in the water sector, they could acquire this capability. 

In my view, the claim should be treated as a credible warning of intent and potential capability, but not as proof that the group can currently shut off water supplies across American cities. If I had to look at this from a breach readiness perspective, I would immediately conduct a Breach Readiness Impact Assessment for my OT systems to determine reachability to my control systems and enforce strict microsegmentation controls to deny lateral movement in the event of such attacks. The benefit of using a pervasive microsegmentation platform is that it can use the same zoning controls in the IT systems and provide a single pane of control to leadership managing Water Systems, to infuse confidence in stakeholders.

John Gallagher, Vice President at Viakoo:

Handala did not disrupt or cut off the water supply to any U.S. cities. The threat actor explicitly claimed on their blog that while they allegedly possessed the ability to disrupt water access, they “chose not to.” Furthermore, threat intelligence analysis indicates that the breach was contained to an internal global navigation satellite system (GNSS) platform called RTKBase and a customer billing database; actual operational technology (OT) or industrial control system (ICS) disruption has not been confirmed.

This should be treated as a warning shot — and a highly dangerous one. While Handala framed the lack of disruption as a conscious choice, their past behavior proves they are highly volatile. Intelligence reports note that Handala’s standard toolkit includes custom data wipers and Master Boot Record (MBR)-overwriting capabilities. The group has a documented history of rapidly escalating from data theft to full-scale destructive operations within the exact same campaign cycle. Handala used this incident to exfiltrate 5 gigabytes of data (including customer names, addresses, and payment histories) and harvest administrative credentials, mapping out infrastructure that could be weaponized later.

There can be parallels made to the Colonial Pipeline shutdown, where threat actors were able to leverage a billing server to impact pipeline operations. This was the reverse (going from operational systems to a billing server), which demonstrates that pivot points between the two domains are being exploited.

Organizations should not delay in reviewing key protections, especially in eliminating pivot points between OT/IoT and corporate networks. Organizations must enforce strict, zero-trust network segmentation. IoT applications, telemetry platforms, and smart infrastructure must reside on isolated networks completely separated from business systems like billing, email, or corporate databases. An asset compromise on the operational side should never grant access to enterprise data.

The data dump explicitly included administrative credentials for the RTKBase platform and a mountpoint-level NTRIP source password. All organizations running similar infrastructure must consider any shared or default credentials entirely compromised. Implement immediate, automated rotation of all administrative passwords across the environment. Never reuse credentials between operational software and IT systems. Automated password management solutions for OT are needed due to the scale and timing needed.

The attackers were able to enumerate IP addresses and target an active RTKBase instance that had been continuously online for 783 hours. Organizations should conduct an immediate external attack surface audit to identify any internet-facing OT, GNSS, or industrial IoT applications. Many OT organizations lose track of applications within their environment, providing an opening.  These platforms should never be directly exposed to the public internet. Access must be tightly restricted behind secure, multi-factor authenticated (MFA) VPNs or zero-trust network access (ZTNA) gateways.

Shane Barney, Chief Information Security Officer at Keeper Security: 

The technical evidence shows a GPS correction network and a customer billing system were compromised, exposing real customer data across multiple districts. There is no confirmed access to water treatment controls or operational safety infrastructure, and that distinction matters for how security teams and the public assess what actually happened here.

Iran-linked actors have been open about targeting life-sustaining infrastructure for psychological impact, and federal advisories have flagged U.S. water utilities as a priority target. Accessing multiple systems, publishing the data and making escalatory claims fits that playbook. The intent deserves serious attention regardless of where the access ended.

The lesson for critical infrastructure owners and operators is in the lateral movement that took place. An internal system became a bridge to customer data because the network boundaries between them were not enforced. That is not a problem unique to this incident. Operational systems across the water sector have been connected to IT environments over time without the controls to match. Credential hygiene, network segmentation and consistent access controls are foundational. For organizations that have not yet made them a priority, this is a clear signal to start.