Cal Water: Iranian Hackers Hit Billing, But OT Systems Stayed Safe

California Water Service (Cal Water) has concluded its investigation into the June 12 cyberattack claimed by Iranian hacker group Handala, finding no evidence that attackers reached operational technology systems. The breach appears limited to a customer billing platform and an internal application—a significant incident, but far short of the water supply disruption the threat actors boasted about.

Mandiant conducted the forensic investigation on behalf of the utility.

What Actually Happened

Handala publicly claimed responsibility for breaching Cal Water's systems in Bakersfield, Visalia, and Chico on June 12, 2026. The group published 5 gigabytes of allegedly stolen data and screenshots purporting to show customer water bills.

According to threat intelligence from Dataminr, the attackers likely gained initial access through Cal Water's RTKBase instance—a GNSS base station platform used for surveying and positioning. From there, they moved laterally to reach a billing system.

The key finding from Mandiant's investigation: no evidence of activity in Cal Water's operational technology environment. The systems that actually control water treatment, distribution, and quality monitoring remained uncompromised.

Handala's Stated Motivation

The group's public statements tied the attack directly to U.S. military action. On June 10, 2026, U.S. strikes damaged two water reservoirs in the Iranian port town of Sirik. Two days later, Handala claimed to have penetrated California water systems in retaliation.

In their announcement, the group stated they had the capability to disrupt water access but "chose not to." That claim remains unverified—and the investigation results suggest it may have been bluster. Having access to billing data is meaningfully different from controlling treatment plant operations.

The IT/OT Boundary Held

This incident illustrates why water utilities and other critical infrastructure operators invest in segmenting information technology from operational technology networks. Cal Water's architecture apparently prevented lateral movement from the compromised billing system into systems that control physical processes.

That segmentation doesn't happen by accident. It requires deliberate network design, access controls, and ongoing monitoring. The CISA advisory on Iranian PLC attacks earlier this year highlighted how threat actors specifically target the boundary between IT and OT environments.

Organizations in the water sector should treat this outcome as validation that proper segmentation works—not as evidence that the threat isn't serious. Handala and related Iranian cyber operations continue to probe critical infrastructure looking for exactly this kind of access.

What Data Was Exposed

While operational systems stayed secure, customer data did not. The 5 gigabytes Handala published reportedly includes:

• Customer billing records
• Personal information from billing accounts
• Internal application data

Cal Water serves approximately 2 million people across California. The scope of affected customers hasn't been publicly disclosed, but billing systems typically contain names, addresses, account numbers, and payment history.

Affected customers should watch for:

• Targeted phishing using their utility account details
• Identity theft attempts leveraging leaked personal information
• Callback scams impersonating Cal Water customer service

Broader Implications

This attack fits a pattern. Iranian-affiliated threat actors have shown sustained interest in U.S. water infrastructure:

• The CyberAv3ngers campaign targeted Unitronics PLCs at water facilities in late 2025
• CISA joint advisories have warned about Rockwell Automation PLCs being targeted in water and wastewater systems
• The Handala group previously claimed attacks against Israeli water infrastructure

The geopolitical context matters. Cyber operations against utilities are becoming a predictable response to kinetic military actions. Organizations in critical infrastructure sectors should treat escalating international tensions as a threat intelligence input—when physical conflict increases, cyber targeting of civilian infrastructure often follows.

Recommendations for Water Utilities

Verify network segmentation: Document and test the boundaries between IT and OT networks. Penetration testing should specifically attempt lateral movement from internet-facing systems to operational technology.

Audit remote access: RTKBase and similar field equipment platforms may have network connectivity that operators don't fully account for. Inventory all paths into your network.

Prepare customer notification processes: Even if operational systems stay secure, customer data breaches require notification under California and other state laws. Having templates and procedures ready accelerates response.

Monitor for leaked credentials: The 5 gigabytes Handala published likely includes employee credentials. Those should be rotated immediately if they haven't been already.

The Cal Water incident ended better than it might have, but it serves as a reminder that U.S. critical infrastructure remains in the crosshairs of nation-state actors who view civilian utilities as legitimate targets in broader geopolitical conflicts.