Key Takeaways
- Dual-System Breach: Dataminr analysis of the published PoC indicates Handala accessed two separate Cal Water systems: a customer billing database containing PII for accounts across multiple districts, and an internal RTKBase NTRIP caster network used for precision GPS operations across field crews.
- Credentials Compromised: Administrative credentials for the RTKBase platform and at least one NTRIP source endpoint were included in the public dump and must be treated as fully compromised. Any system sharing these credentials or on the same network segment is at elevated risk.
- Multi-District Infrastructure Exposure: The NTRIP network serviced at least seven Cal Water operational districts — Bakersfield, Chico, Salinas, Stockton, Visalia, San Mateo, and a regional engineering segment — with associated IP infrastructure now enumerated in Handala’s public release.
- Consistent with Active Iranian Campaign: This incident follows Handala’s most significant U.S. operation to date (the March 2026 Stryker wiper attack) and aligns with a 2026 federal advisory specifically warning of Iran-linked targeting of U.S. water sector technologies.
Incident Overview
On June 11, 2026, Dataminr issued a Flash alert detecting a Handala claim of compromise against California Water Service (Cal Water), one of the largest investor-owned water utilities in the United States, serving approximately two million customers across 100 California communities. The group published a 5GB proof-of-concept package via its blog, consistent with its established hack-and-leak model.
Analysis of the published materials identifies Cal Water’s Chico District as a confirmed affected account, with transaction and account records indicating access to the customer billing database. A separate set of screenshots documents administrative access to Cal Water’s internal RTKBase deployment — an open-source NTRIP caster used by field crews to receive centimeter-accurate GPS corrections when mapping and maintaining water infrastructure across service territories. The RTKBase instance had been operational for approximately 783 continuous hours at time of access, with GPS correction data streamed across all seven identified district mountpoints.
The billing system and RTKBase platform represent distinct infrastructure. The RTKBase network is assessed as a probable initial access vector or lateral pivot point that enabled the actor to reach the billing environment.
Dataminr Detection
Technical Details
- Billing System Access: Customer PII confirmed in the published dump includes names, service addresses, phone numbers, account numbers, and payment history. The scope of affected records across all districts has not been independently confirmed but the 5GB PoC volume is consistent with a bulk database export.
- RTKBase Entry Vector: RTKBase is a lightweight, open-source GNSS base station application typically deployed on low-overhead hardware (Raspberry Pi class). Its web-based administrative panel is frequently exposed on internal networks without hardened authentication. Cal Water’s deployment used standard HTTP port 10000 across district mountpoints.
- Credential Exposure: Administrative credentials for the RTKBase platform and a mountpoint-level NTRIP source password were published in plaintext in the PoC dump. Both should be treated as fully compromised and rotated immediately across any system where they may have been reused.
- Infrastructure Enumeration: The PoC fully enumerates the IP block supporting Cal Water’s NTRIP network across the seven district deployments. This infrastructure should be considered known to the adversary and potentially to any third party who has accessed the PoC.
- Handala Malware Capability: While OT/ICS disruption is not confirmed in this incident, Handala’s deployed toolkit includes custom wipers (win.handala, Handala Wiper, Hamsa Wiper) and MBR-overwriting capabilities. The group has demonstrated willingness to escalate from data theft to destructive operations within the same campaign cycle, as evidenced by the Stryker incident.
Threat Actor & Motivation
Handala is assessed with high confidence as a MOIS-affiliated front operating within the Banished Kitten cyber ecosystem, also tracked as Void Manticore and Storm-0842 by Microsoft and Check Point Research respectively. The group has been operationally active since December 2023, with a significant escalation in U.S.-targeted activity following the onset of U.S.-Iran military engagement in February 2026.
Water infrastructure targeting is consistent with Handala’s stated doctrine of attacking “life-sustaining” systems for maximum psychological and societal impact. The dual-system breach pattern — accessing both an operational support network and a customer-facing database — reflects the group’s preference for high-visibility, multi-domain impact over quiet persistence. Analysts should note that Handala has no confirmed history of tampering with water treatment processes or chemical dosing systems in any previous operation; impact to date has been data exfiltration, wiper deployment, and psychological operations.
Immediate Actions & Recommendations
- Rotate All Exposed Credentials Immediately: Any credentials present in the published PoC dump must be treated as fully compromised. This includes the RTKBase administrative account, all NTRIP mountpoint source passwords, and any system where credential reuse may exist. Do not attempt to change only the affected accounts — conduct a full audit.
- Take RTKBase Instances Offline Pending Audit: Any Cal Water or peer utility running RTKBase or similar NTRIP caster software should immediately verify that the administrative panel is not internet-exposed and is protected by network-layer controls, not only application-layer credentials. If exposure is confirmed, take offline pending investigation.
- Network Segmentation Review: The RTKBase-to-billing pivot underscores inadequate segmentation between operational support tools and customer data environments. Utilities should verify that GPS/survey infrastructure networks cannot route to billing or customer information systems without explicit firewall policy.
- Audit Billing System Access Logs: Review authentication logs on the customer billing platform for the period covering RTKBase deployment (approximately the past 33 days based on uptime data) for any anomalous sessions, API calls, or bulk export activity.
- OT/ICS Protective Posture: While no SCADA or treatment process disruption is confirmed, utilities should verify isolation between IT and OT environments. Treat the current period as a heightened threat window given Handala’s demonstrated willingness to escalate to destructive operations.
- Notify Regulators and Customers: Cal Water should assess notification obligations under California’s data breach law (Civil Code § 1798.82) given confirmed customer PII exposure. Affected customers face elevated risk of spear-phishing using exfiltrated account and contact data.
- Report to CISA and WaterISAC: Utilities with any indication of unauthorized access should notify CISA (1-888-282-0870) and the WaterISAC ([email protected]). CISA’s 2026 advisory on Iranian targeting of water sector technologies makes this a reportable event of national significance.
- Monitor for Follow-On Operations: Handala’s operational pattern frequently involves an initial claim followed by escalated action. Security teams should treat the current disclosure as a possible precursor to a destructive follow-on and posture accordingly.
2026 Cyber Threat Landscape Report
In a time of increasing cyber threats and AI-driven attacks, security teams need actionable insights to drive a preemptive cyberdefense strategy. This report analyzes global risks and offers the intelligence needed for a proactive cybersecurity strategy.
Download Report
