Mandiant Confirms Handala Access at Cal Water Limited to Third-Party Platforms, No OT Evidence
Mandiant cleared Cal Water OT after Handala's claims. Evidence shows only third-party and customer-account access. Pattern points to recurring third-party credential risk across the sector.
Cal Water engaged Mandiant after the Iranian-linked Handala group claimed deep ICS access and leaked 5 GB of data. The investigation established that only external service-provider accounts were reached, including a GPS correction tool and a single active customer portal. No billing system payments or operational controls were touched. The 5 GB dump contained personal identifiers but yielded no OT artifacts.
Water utilities remain attractive targets due to legacy serial-to-IP converters and third-party dependencies, patterns visible in prior CISA alerts on exposed HMI interfaces. Handala's public claims of poisoning capability exceed the technical trail, which shows credential stuffing rather than supply-chain pivots into PLCs. Official attribution to Iranian state actors rests on group history, not packet-level indicators from this event.
Third-party platform exposure now emerges as the dominant vector. Utilities should audit vendor credential stores and enforce MFA on every external portal within 60 days. Procurement records indicate most investor-owned systems still lack segmented OT monitoring, leaving the same access paths open.
CISA: Zero additional confirmed Iranian water-utility OT incidents through Q1 2025
Sources (2)
- [1]Primary Source(https://www.securityweek.com/cal-water-finds-no-evidence-of-ot-activity-after-hackers-claimed-they-could-disrupt-water-supply/)
- [2]Supporting Source(https://www.cisa.gov/news/2024/03/20/cisa-releases-advisory-iranian-cyber-actors-targeting-critical-infrastructure)