Handala claims 5 GB exfil from Cal Water billing database and RTKBase

Handala asserted access to Cal Water networks in retaliation for U.S. strikes on Iranian targets. The group released files but claimed it refrained from altering treatment controls or flows. Cal Water activated its response plan after the Thursday disclosure and reported preliminary findings of no operational impact to water delivery or billing platforms. Collaboration with federal and state partners continues alongside external forensic review.

Dataminr analysis confirmed personal information in the dump, pointing to compromise of the customer billing database and RTKBase application used for real-time kinematic positioning. Legacy ICS dependencies and weak segmentation remain common across U.S. water utilities, enabling initial access that later expands to OT-adjacent assets. Contract records and procurement filings show persistent underinvestment in authentication controls for these systems.

Similar incidents at Polish water plants and other U.S. facilities demonstrate recurring patterns where initial IT footholds precede attempts to reach OT. Official attribution to Iranian state actors lacks independent technical indicators in public reporting, while the operational effect stays limited to data exposure rather than physical process changes.

Next steps include full forensic imaging of RTKBase instances and cross-checks against known Iranian tooling. Utilities should expect continued targeting of billing and GIS-adjacent platforms as entry vectors.