Handala Pivots via Cal Water RTKBase GNSS to Billing DB, Exfiltrates 5GB PII

Dataminr telemetry shows the actor enumerated IP ranges tied to Cal Water NTRIP networks across districts before reaching the billing environment. Exposed artifacts include RTKBase admin credentials, mountpoint NTRIP passwords, and full customer records containing names, addresses, account numbers and payment histories. No OT sensor manipulation is confirmed, yet the group's documented wiper suite (win.handala, Hamsa) and prior Stryker escalation pattern indicate the data theft may serve as reconnaissance for follow-on disruption.

US government attribution links Handala to Iran's MOIS under multiple aliases including Red Sandstorm and Storm-0842. Technical evidence is limited to access vectors and data contents; no independent packet captures or malware samples have been published to corroborate state direction. The absence of Cal Water public confirmation leaves open whether the exposed RTKBase instance remains reachable from the internet.

This incident fits a documented Iranian pattern of targeting US water utilities during periods of heightened tension, extending beyond earlier LA Metro and Bahrain operations. RTKBase platforms, typically deployed for survey-grade GPS correction, represent an under-monitored IT/OT boundary that can serve as both initial access and lateral pivot. The 783-hour uptime metric suggests minimal segmentation or logging on these appliances.

Immediate actions include rotation of all exposed credentials, offline audit of the RTKBase host, and review of billing system access logs. Continued monitoring for wiper deployment across the seven enumerated districts is warranted given Handala's established operational cadence.