When Water Becomes a Weapon: The Cal Water Hack, Handala, and the Global OT Security Gap the World Has Ignored

An Iranian cyber group just breached one of America's largest water utilities — and the most alarming part isn't what they took. It's what they chose not to do.

The Attack: What We Know

On June 11, 2026, the Iran-linked threat group Handala posted a claim on its blog that it had compromised California Water Service — known as Cal Water — and published a 5GB proof-of-concept data dump to back it up.

Cal Water is no small target. It is one of the largest investor-owned water utilities in the United States, serving approximately two million customers across 100 California communities.

Threat intelligence firm Dataminr's forensic analysis of the leaked data paints a precise picture of how the breach unfolded. The attackers likely gained initial access through Cal Water's RTKBase instance — a GNSS base station platform used to manage GPS correction data across the utility's district mountpoints. From there, they moved laterally into a customer billing system.

Cal Water's Chico District has been confirmed as a compromised account, with transaction and account records indicating access to the customer billing database. The RTKBase instance had been operational for approximately 783 continuous hours at the time of access, with GPS correction data streamed across all seven identified district mountpoints.

The data dump was damaging on multiple levels. Beyond the billing database — containing customer names, addresses, phone numbers, account numbers, and payment histories — Handala also published administrative credentials for the RTKBase platform and an NTRIP source password, and performed enumeration of IP addresses across seven of Cal Water's districts. In other words: they mapped the network, walked out with customer data, and left the keys to the infrastructure hanging in the door.

The Psychological Play: "We Could Have, But We Didn't"

As part of its psychological warfare, Handala claimed it was capable of disrupting US water supplies, but opted not to go that route.

This statement deserves to be read carefully. It is not a reassurance — it is a threat dressed up as restraint. Handala is telling the US government, and the American public, that the capability to cut off water to millions of Californians existed and was deliberately withheld. That message, amplified through social media and news coverage, is itself the attack. The data theft is the proof of concept; the restraint is the psychological lever.

The incident marks an escalation in the pattern of cyber operations tied to the broader US-Iran conflict, which began in earnest following the end of direct fighting between Israel and Iran in June 2025, with Handala's activity illustrating how Tehran uses cyberattacks to replace or supplement military capabilities.

Who Is Handala? The Anatomy of Iran's Most Aggressive Cyber Proxy

Handala presents itself publicly as a pro-Palestinian hacktivist collective. Security researchers see something more deliberate and state-directed.

Handala appears as a pro-Palestinian hacktivist group but is widely seen as a front for Iran-backed Void Manticore — known for phishing, data theft, extortion, and destructive wiper attacks, and linked to Iran's Ministry of Intelligence and Security. The group has been active since at least December 2023 and escalated US-targeted operations significantly following the onset of US-Iran military engagement in February 2026.

The group's recent operational history is alarming in its scope and ambition:

The group most recently claimed responsibility for a March 2026 attack on medical device maker Stryker, which it said triggered simultaneous factor resets on over 200,000 corporate devices across 79 countries.

Since the US-Israeli attacks, the group has also claimed attacks against Israel Opportunity Energy — a major oil and gas company — and fuel systems in Jordan. On the same day, Handala claimed to have compromised Saudi Aramco, alleging it destroyed infrastructure and disrupted oil processing capabilities.

During late February and early March 2026, researchers observed Handala traffic originating from Starlink satellite IP ranges, indicating the group has maintained tactical autonomy and command-and-control capabilities even during Iran's domestic internet blackout.

Perhaps most troubling is its trajectory. Between 2022 and 2025, Void Manticore personas frequently conducted hack-and-leak operations and wiper attacks, amplifying impact by publicly leaking information from targeted organizations. The Cal Water breach fits this pattern exactly — public exposure of PII and credentials maximizes reputational and operational damage while preserving the option for a destructive follow-on.

Dataminr's assessment is unambiguous: "Handala's operational pattern frequently involves an initial claim followed by escalated action. Security teams should treat the current disclosure as a possible precursor to a destructive follow-on and posture accordingly."

The OT Security Problem: RTKBase as a Gateway

The technical entry point in this breach deserves particular attention. RTKBase is not an IT system — it is an operational technology platform managing GPS correction data for field infrastructure. Its compromise illustrates a critical and persistent vulnerability in how utilities connect their operational networks to the internet.

Water utilities, like most critical infrastructure operators, have historically relied on air-gap assumptions — the belief that physical isolation of operational systems from internet-connected networks provides inherent security. That assumption has been eroding for years as utilities digitize operations, integrate cloud platforms, and deploy internet-connected sensors and monitoring tools for efficiency and remote management.

Many of the risks that utilities face stem from the continued use of legacy systems installed many years ago — systems that often have minimal, if any, cybersecurity features, presenting a significant digital attack surface. Those responsible for security frequently overlook the operational constraints in critical infrastructure, understanding cybersecurity only in terms of IT rather than OT.

The RTKBase-to-billing lateral movement in the Cal Water breach is a textbook example of what happens when OT and IT systems converge without proper network segmentation. An attacker gains a foothold in a GPS correction platform — not an obvious target — and uses it as a bridge into customer-facing databases, and potentially further into operational control systems.

IEC 62443: The Standard That Should Have Prevented This — And Why It Didn't

Here is where the regulatory dimension becomes critical — and uncomfortable.

IEC 62443 (also known as ISA/IEC 62443) is the internationally recognized gold standard for securing Industrial Automation and Control Systems (IACS) and Operational Technology environments. The standard reduces risk, improves resilience, and strengthens industrial security posture across sectors including energy, manufacturing, transport, healthcare, and water utilities. It applies to hardware, software, processes, preventive measures, and employees, providing requirements to reduce cyber risk across the entire system lifecycle.

IEC 62443 uses Security Level grades ranging from 0 to 4 to evaluate cybersecurity risks to each OT and ICS system, providing asset owners with the ability to understand their assets, identify potential security loopholes, and address those gaps before an adversary identifies and breaches them.

Had Cal Water's RTKBase been properly segmented under IEC 62443's zones and conduits model — which requires strict boundaries between different operational systems, with controlled communication channels between them — lateral movement from a GPS platform to a billing database would have been architecturally prevented, not just detected.

Had IEC 62443-2-1's security program requirements been in place — covering credential management, access controls, and continuous monitoring — the 783 continuous hours of unmonitored RTKBase operation that preceded this breach would have triggered an alert long before Handala arrived.

The problem is enforcement and adoption gaps, not the standard itself. IEC 62443 is voluntary in most jurisdictions, including the United States for water utilities. Many smaller and mid-sized utilities lack the in-house OT security expertise — or the budget — to implement it meaningfully.

The Asymmetric Paradox: Iran, China, and Russia Use the Standard Too

Here is the uncomfortable geopolitical dimension that rarely gets discussed openly.

IEC 62443 is an international standard — and it is used in Iran, China, and Russia, the three nation-states most actively engaged in offensive cyber operations against Western critical infrastructure.

This creates a profound asymmetry. State-sponsored threat actors from these countries are trained in, and operate against, the same OT frameworks their adversaries use for defense. They know exactly what Security Level 2 looks like. They know what a properly segmented IACS zone architecture looks like. And they know how to find the gaps between the standard as written and the standard as implemented — gaps that are wide in the water sector, where budgets are limited and legacy equipment is pervasive.

State-sponsored actors from Russia, China, and Iran have been identified as major threats, each with distinct motivations and tactics. China's Volt Typhoon, for example, specializes in "living-off-the-land" techniques — using legitimate, built-in system tools to evade detection and maintain long-term persistence, with the apparent goal of pre-positioning within US critical infrastructure for potential future disruptive attacks.

The IEC 62443 standard was designed as a defensive framework — but when adversaries have equal or greater familiarity with it than defenders, the standard alone cannot close the gap. What it can do — and what its absence makes impossible — is establish a consistent baseline that at least eliminates the most basic attack vectors.

The critical insight is this: Iran does not need to comply with IEC 62443 domestically in order to exploit gaps in how Western utilities implement it. They simply need to understand the framework well enough to know where compliant utilities are still vulnerable, and where non-compliant ones are wide open. Cal Water appears to have been the latter.

The Regulatory Gap: Water Is the Weakest Link

Among US critical infrastructure sectors, water utilities have the most limited and least enforced cybersecurity regulatory regime. The EPA has attempted to require cybersecurity assessments for water systems, but those efforts have faced legal challenges. AWIA (America's Water Infrastructure Act) requires risk and resilience assessments, but does not mandate specific technical controls.

Compare this to the energy sector, where NERC CIP standards impose mandatory, enforceable cybersecurity requirements on bulk electric system operators — including OT-specific controls that overlap significantly with IEC 62443. Or financial services, where banking regulators have long required detailed incident response and access control programs.

Water sits in a regulatory gap: critical enough to be on every threat actor's target list, not regulated tightly enough to force the baseline investments that would make attacks like the Cal Water breach significantly harder to execute.

The pending CIRCIA rules would add a mandatory reporting layer — but reporting an attack after it happens is not the same as preventing it.

What Must Happen Now

The Cal Water breach is not an isolated incident. This incident follows Handala's most significant operation to date — the March 2026 wiper attack on Stryker — and aligns with federal government warnings since April that Iran intends to target critical infrastructure in the United States, including water supplies, in retaliation for US airstrikes.

Immediate actions for Cal Water and all similarly exposed utilities:

All credentials exposed in the dump — including RTKBase administrative credentials and NTRIP source passwords — must be treated as fully compromised and rotated immediately. The RTKBase instance should be taken offline and audited. Network segmentation between OT platforms and billing or IT systems must be reviewed and enforced now, not as part of a future upgrade cycle.

Structural reforms the sector cannot defer:

Mandatory adoption of IEC 62443 security levels for internet-exposed OT systems in water utilities — modeled on what NERC CIP has achieved in the energy sector — is no longer a best-practice recommendation. It is a national security necessity. The GAO has already called out CISA's lack of OT skills; the water sector is even further behind.

The zones-and-conduits architecture at the heart of IEC 62443 must become the minimum standard for any water utility operating internet-connected OT systems. A GPS correction platform and a customer billing database should never share a network path that allows lateral movement — this is not a sophisticated security control, it is table stakes.

Finally, the intelligence community and CISA must bridge the gap between classified threat reporting and the operational guidance that utility security teams can actually act on. Iran's cyber proxy ecosystem is operating at "wartime tempo." More than three months in, this incident shows the tempo holding. Utilities cannot be left to discover that reality from a Handala blog post.

The Bottom Line

Handala hacked Cal Water, grabbed five gigabytes of sensitive data, mapped the infrastructure across seven districts, harvested administrative credentials — and then told the world it could have turned off the taps but decided not to.

That restraint is temporary. The capability is real. And the security posture of America's water utilities — operating largely outside the mandatory OT security frameworks that exist precisely for situations like this — means the next group that finds the same door may not choose to leave it open.

The standard to close that door exists. It is called IEC 62443. The gap is not technical. It is political, financial, and regulatory. And every day it remains open is an invitation that adversaries far more dangerous than Handala are already studying.