100 days after the Iran war started

Iranian hackers accessed two Cal Water systems and leaked 5GB of data

A poorly secured GPS tool gave attackers a direct path inside Cal Water

Administrative credentials for seven California districts were published in plaintext online

Tehran-linked threat group Handala has claimed it successfully breached California Water Service and released a 5GB data dump as proof.

Cal Water is one of the largest investor-owned water utilities in the United States, serving millions of residential and commercial customers across California.

Handala described the breach as direct retaliation for recent US military actions in Iran, claiming it could disrupt water access but deliberately chose not to — for now.

How a GPS tool became the entry point

Cybersecurity firm Dataminr analyzed the published data and identified two separate systems that Handala accessed during the breach.

The first was a customer billing database containing names, addresses, phone numbers, account numbers, and payment histories across multiple Cal Water districts.

The second was an internal RTKBase deployment — an open-source GPS base station platform used by field crews maintaining water infrastructure across California.

The RTKBase instance had been running continuously for approximately 783 hours at the time of access, with GPS correction data streaming across seven identified Cal Water districts.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Those districts included Bakersfield, Chico, Salinas, Stockton, Visalia, San Mateo, and a regional engineering segment spread across California.

The researchers believe that the GPS platform was not the end goal — it was the entry point into deeper infrastructure.

The RTKBase web interface was accessible via standard HTTP port 10000 across multiple district locations, making it straightforward for outside actors to locate and access.

It was deployed on lightweight hardware that offered minimal resistance against unauthorized entry from the internet.

Administrative credentials for the platform appeared in the published dump in plaintext, giving anyone who downloaded it immediate access to the entire system.

Full network infrastructure details for all seven districts were equally exposed, leaving Cal Water's security team with virtually nothing intact to protect.

A pattern that should concern every water utility

Handala's history makes the "chose not to disrupt" framing worth treating with considerable skepticism from any serious security perspective.

The group deployed a destructive wiper against Stryker in March 2026 that disrupted manufacturing and shipping — following the same data-theft-first pattern documented in this breach.

"Handala's operational pattern frequently involves an initial claim followed by escalated action," Dataminr's report concluded.

"Security teams should treat the current disclosure as a possible precursor to a destructive follow-on and posture accordingly."

The US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory this year warning of Iranian groups targeting US water sector technologies.

This breach is an indication that Iranian cyber threats to US water infrastructure are no longer theoretical.

Cal Water has not publicly acknowledged the breach, but affected customers now face elevated phishing risks given that their names, addresses, phone numbers, and account details are publicly available.

Via Security Affairs

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.