Few days ago, the Iran-linked threat group Handala (also tracked as Void Manticore, Storm-0842, or Banished Kitten) claimed to have compromised California Water Service (Cal Water), which is one of the largest investor-owned water utilities in the United States. Handala exfiltrated and leaked approximately 5 gigabytes of data and framed the operation as a successful attack on critical infrastructure with implied, yet withheld, operational disruption capabilities.

Initial threat intelligence telemetry put together by Shieldworkz indicates that while Handala successfully compromised business-layer databases and an exposed an internal application, no Operational Technology (OT) or Supervisory Control and Data Acquisition (SCADA) systems were breached in the incident. Instead, the threat actor exploited an internet-facing Global Navigation Satellite System (GNSS) correction server platform RTKBase and moved laterally to land onto a customer billing database.

This incident highlights a dangerous trend in modern state-sponsored cyber operations: the execution of an opportunistic IT compromise that was subsequently masked as an OT crisis." By exploiting niche, poorly segmented business applications that interface with geographic data, threat actors can stage high-impact Psychological Operations (PsyOps) to amplify public fear, even when the core water treatment and distribution processes remain entirely uncompromised. This is a playbook tactic that nearly every state-backed threat actor is using today.

Handala, however has gone beyond this and claimed that it could have done more damage with the level of access that it had but chose not. This claim could not be verified but the fact that Handala could execute this breach is a worrying factor.

Before we move forward, don’t forget to check out our previous blog post on 12 common threats detected by modern media scan systems here.  

The incident

To understand the boundaries of this breach, we need to isolate the adversary's public narrative from verified telemetry.

Timeline of the incident (June 2026)

• The threat actor's claim: Handala published a post on its dark web blog and Telegram channel claiming a successful intrusion into Cal Water. As before, the group framed the attack as political retaliation for U.S. actions in Iran. Handala also explicitly boasted that they possessed the capability to shut down or disrupt water access across the utility’s footprint but “deliberately chose not to execute the destructive payload”.

• The data release: The group released a 5GB compressed data packet. Forensic analysis of the dump reveals a bulk database export containing:

  • Customer Personally Identifiable Information (PII): Names, service addresses, phone numbers, account numbers, and past payment records.

  • Application-specific credentials: Cleartext administrative credentials for an internal RTKBase platform instance.

  • Network mapping data: A mountpoint-level Network Transport of RTCM via Internet Protocol (NTRIP) source password and an enumerated list of internal IP addresses associated with the utility's NTRIP network spanning as many as seven geographic districts.

• Systems impacted: Telemetry data confirms that the compromised infrastructure belonged specifically to Cal Water's Chico District. The actor successfully accessed a database hosting customer billing profiles and a separate application server running RTKBase that had been operational for nearly 783 continuous hours at the time of compromise.

• Public utility and government response: Cal Water did not immediately release any formal public acknowledgement of the intrusion, matching standard incident response containment protocols during active triage. Government bodies, including CISA and the EPA actively monitored the leak for signs of downstream SCADA targeting.

Was this really an OT attack?

The answer is no to the extent that no SCADA systems were impacted in the original breach. The Cal Water incident was essentially an enterprise-level IT and localized business application compromise. It was not an operational cyberattack on Industrial Control Systems (ICS). There is however a caveat. If what Handala claims is true, then it is possible that SCADA could have been on the radar for extended targeting.

A critical vulnerability in mainstream media coverage of utility cyber incidents is the often the conflation of any infrastructure-adjacent compromise with an operational breach. To clear this up, consider the structural separation between billing environments, auxiliary mapping applications, and actual physical process control.

Distinguishing customer data from SCADA

Access to the customer billing networks or business-line mapping software does not automatically grant an adversary the ability to manipulate Programmable Logic Controllers (PLCs), alter chemical dosing pumps, or control distribution valves. Billing databases lie entirely within the enterprise architecture hosted in corporate clouds or commercial data centers. Conversely, SCADA environments govern physical real-time processes, utilizing industrial protocols (such as Modbus/TCP, DNP3, EtherNet/IP) that do not natively interact with enterprise web applications.

The architectural divide and Handala's position

The diagram below maps standard utility architecture against Handala's verified operational boundaries during this campaign:

Handala operated exclusively within Levels 3 and 4 of this architecture. They exploited an internet-exposed instance of RTKBase located on the corporate/field-operations boundary, harvested associated credentials, and pivoted into the localized billing infrastructure. Because strict network boundaries or firewalls isolated the Level 2/1 OT environments, the actors could not cross the corporate-to-OT boundary.

Probable Root Cause Analysis

Based on the indicators and historical utility intrusion vectors, we have evaluated the most likely root causes for Handala’s entry and lateral movement.

Intrusion vector evaluation

Technical deep dive into RTKBase

The most distinctive technical element of this incident was the compromise of an RTKBase server. Understanding this platform explains why the actor targeted it and what the actual operational consequences are.

What is RTKBase and NTRIP?

RTKBase is an open-source platform used to manage a Real-Time Kinematic (RTK) Global Navigation Satellite System (GNSS) base station.

Utilities rely heavily on RTK systems for high-precision asset mapping. Field crews use handheld GPS rovers connected via NTRIP (Networked Transport of RTCM via Internet Protocol) to stream correction data from the RTKBase station. This enables the field teams to locate buried valves, water mains, service connections, and electrical lines with centimeter-level accuracy rather than standard multi-meter errors.

Why exposure management failed

The incident demonstrates a recurring challenge across critical infrastructure organizations: operational support systems often fall outside traditional vulnerability management and asset inventory programs.

Many organizations maintain mature security controls for:

• Active Directory

• Email systems

• VPN infrastructure

Yet have limited visibility into:

• RTKBase deployments

• GIS applications

• Engineering support servers

• Field telemetry platforms

• Contractor-managed operational applications

Operational risks of RTKBase compromise

The administrative credentials and NTRIP source passwords for seven districts were leaked. The risks associated with this access are specific but non-disruptive to water quality:

• Mapping delays and field confusion: If an attacker modifies or shuts down the RTKBase streams, field crews lose high-precision positioning. They cannot accurately map new assets or rapidly locate buried infrastructure during an emergency (such as a water main break).

• GPS spoofing / correction manipulation: An advanced adversary could theoretically manipulate the correction coefficients streamed over NTRIP. This would inject subtle location errors into the field rovers, leading to utility workers logging inaccurate coordinates for critical physical assets in the GIS database.

• Disruption: Could this directly halt water delivery or manipulate water treatment? No. RTKBase is an informational, auxiliary tool for field telemetry and surveying. It has no control loops, zero connection to water treatment logic, and no path to physical actuators.

Understanding Handala

Handala is a sophisticated, state-aligned threat persona operated by the Iranian Ministry of Intelligence and Security (MOIS). You can access Shieldworkz research on Handala here, here and here.

Threat actor profile

• Strategic objectives: Handala serves primarily as a cyber-warfare and psychological operations front. Its mission is to degrade public trust in critical infrastructure, retaliate against Western or Israeli geopolitical actions, and create media amplification around perceived structural vulnerabilities.

• Historical campaigns and targeting:

  • Stryker corporation (March 2026): Handala executed a highly disruptive attack against this U.S. medical device manufacturer. Using a mix of Windows-based loaders and ransomware tactics, they impacted order processing and manufacturing lines, forcing temporary operational stoppages.

  • Israeli critical infrastructure (2024–2026): Handala has targeted Israeli electrical networks, municipal services (such as El'ad municipality), defense vendors, and internal security systems (Shin Bet).

  • Strategic leaks: The group has systematically compromised and leaked massive email volumes from high-profile political and defense figures to manipulate public discourse.

Key Tactics, Techniques, and Procedures (TTPs)

While Handala framed the Cal Water operation purely as a hack-and-leak incident, their deployed toolkit contains highly destructive capabilities.

The group maintains custom data-wiping utilities, including win.handala, Handala Wiper, and Hamsa Wiper, alongside Master Boot Record (MBR) overwriting binaries. Their operational playbook regularly follows a distinct cycle: they establish an initial foothold, steal data for public leaks, and if aligned with their strategic directives, escalate directly to deploying wipers within the same network session.

Patterns that utility operators should notice

The Cal Water incident highlights a critical defensive lesson: adversaries do not need to touch a PLC to win a psychological victory.

This strategy is built on a specific set of operational behaviors:

1. Exploitation of brand visibility: Water utilities are hyper-local, high-consequence targets. Any claim of a compromised water supply sparks immediate public anxiety.

2. Exaggeration of capability: Handala explicitly stated they chose not to shut down the water supply. This leverages a data breach to construct an artificial narrative of operational dominance, forcing utilities into defensive public-relations triage.

3. The information-to-disruption pipeline: Even when OT environments remain safe, enterprise credential leaks provide foundational data for future targeted spear-phishing or lateral engineering attempts. A breach of enterprise PII or mapping networks must be treated as the precursor to a physical staging operation.

MITRE ATT&CK Mapping

For OT*

* these were not observed, but align with Handala's historic capabilities

What if Handala had breached OT?

Had the threat actor bypassed network perimeter defenses and dropped their custom wiper payloads into Cal Water's Level 2 and Level 1 OT environments, the operational impact would have shifted from an information leak to a possibly severe physical threat.

Scenario analysis: Wiper deployment in water SCADA

• SCADA HMI destruction: Deployed wipers targeting Windows-based Human-Machine Interfaces (HMIs) would blind plant operators. Engineering workstations running control software (e.g., Rockwell Automation FactoryTalk, Siemens TIA Portal) would face corrupted OS partitions, preventing remote visibility into the system.

• Chemical dosing disruption: Automated water treatment relies on precise chemical addition (chlorine, sodium hypochlorite, fluorosilicic acid) managed by PLCs. If the engineering workstations controlling these setpoints are wiped, or if network communications are severed by a Linux-based wiper attacking field servers, operators lose the ability to dynamically adjust dosing based on raw water intake quality.

• Distribution and pumping failures: The loss of Remote Telemetry Units (RTUs) at remote pumping stations and reservoir facilities would prevent automated tank filling. Plants would be forced to transition entirely to manual, localized operations—sending physical crews to stations to manually override valves and monitor tank levels to prevent overflows or system depressurization.

Lessons for water utilities

To prevent opportunistic IT intrusions from exposing internal operations or fueling adversary information campaigns, water and wastewater systems must adopt 15 core defensive mandates:

Asset management and surface defense

• Enforce complete Internet isolation for auxiliary systems: Tools like RTKBase, GIS mapping controllers, or weather telemetry systems must never be exposed directly to the public internet without an authenticated gateway.

• Implement continuous External Attack Surface Management (EASM): Automate scans to discover rogue, shadow-IT, or vendor-installed web applications operating on utility-owned IP space.

• Establish strict IT-to-OT network segmentation: Utilize unidirectional security gateways or strict firewall Access Control Lists (ACLs) to ensure zero direct paths exist between enterprise billing/mapping networks and the SCADA control subnets.

Identity and access control

• Enforce phishing-resistant MFA everywhere: Eliminate passwords as a single point of failure for all corporate portals, remote access paths, and internal field applications.

• Rotate all infrastructure and NTRIP passwords immediately: Treat all district-level configurations, source passwords, and API tokens as highly volatile assets requiring routine expiration.

• Eliminate shared administrative accounts: Every field technician, engineer, and contractor must authenticate using unique, auditable identities rather than generic "admin" roles.

• Audit and restrict third-Party/Vendor Connections: Terminate persistent vendor connections into internal utility architectures; require on-demand, time-bounded, and monitored access windows.

Monitoring and defensive engineering

• Deploy dedicated OT network monitoring: Implement deep-packet inspection tools capable of identifying anomalous industrial commands or lateral movement attempts inside control subnets.

• Develop tailored detection engineering rules: Create alerts for atypical database exports within billing environments or unapproved configuration changes on auxiliary web servers.

• Implement localized Out-of-Band log archival: Ensure application, system, and firewall logs are continuously replicated to a write-once, read-many (WORM) repository safe from local wiper deployment.

Response and resilience staging

• Conduct Out-of-Band Incident Command Drills: Regularly test incident response plans under the assumption that primary corporate communication paths, emails, and cellular networks are entirely compromised or unavailable.

• Maintain validated immutable backups: Maintain offline, air-gapped backups of all SCADA logic, HMI configurations, gold-image operating systems, and billing system databases.

• Formalize a public relations PsyOp playbook: Prepare communication templates to rapidly counter exaggerated or false threat actor claims regarding public safety and water purity.

• Enforce manual process control validation: Conduct monthly operational drills requiring plant personnel to isolate the SCADA system entirely and run treatment facilities using local manual overrides.

• Establish rapid supply chain triage protocols: Define exact containment procedures for isolating vendor infrastructure from utility assets the moment a contractor or open-source tool vendor announces a corporate breach.

Detection and defense

Defending against an actor like Handala requires a defense-in-depth model that layers preventative, detective, and responsive controls mapped directly to international security frameworks.

Control mapping matrix

Strategic implications for Critical Infrastructure operators

The Cal Water incident reinforces four strategic realities:

1. Auxiliary systems are becoming primary targets

Historically, organizations focused security investments on SCADA and process control systems. Threat actors increasingly target supporting operational services including:

• GIS platforms

• GNSS correction systems

• Remote monitoring portals

• Asset management applications

• Smart metering infrastructure

2. Information operations are now part of cyber ops.

The objective is often no longer limited to disruption.

Adversaries seek to:

• Create public uncertainty

• Erode trust in utility operators

• Trigger regulatory scrutiny

• Generate media amplification

3. Reputation has become an attack surface

For water utilities, public confidence is a critical operational dependency.

4. IT incidents can turn into OT crises

Even when operational technology remains unaffected.

Shieldworkz analyst assessment

Most likely attack path

The adversary identified an internet-exposed, unpatched, or poorly protected deployment of the open-source RTKBase platform utilized by Cal Water's Chico District. Exploiting either known vulnerabilities or weak administrative credentials, Handala gained initial access to the application server. Upon compromised entry, the actor harvested administrative credentials, mapped localized internal configurations, and moved laterally into a business-layer customer billing database hosting client PII.

Most likely attacker objective

The primary objective of this operation was geopolitically motivated information warfare and psychological impact. Handala sought to collect high-volume enterprise data to leak publicly, creating a highly visible media narrative that implies a deep compromise of a critical U.S. water utility. The group chose not to execute destructive actions because they lacked the specific network pathways to reach the isolated SCADA architecture making an exaggerated claim of capability their most effective alternative strategy.

Confidence level

• High confidence: The incident resulted in an enterprise data exfiltration and auxiliary software compromise rather than a physical OT/SCADA breach.

• High confidence: The threat actor will continue to use opportunistic IT footholds in municipal networks to claim high-consequence critical infrastructure victories.

Why this attack matters

This incident demonstrates that a threat actor can trigger a critical infrastructure security alert and capture global media attention without ever touching a control system loop or modify a single PLC variable. For state-sponsored cyber operations, the perception of operational access is often just as valuable as actualphysical disruption.

Urgent action Items for utilities

   [ 1 ] ──> Audit external IP space; take all RTKBase or mapping software offline immediately.

   [ 2 ] ──> Mandate password resets for all NTRIP, billing, and enterprise systems.

   [ 3 ] ──> Review firewall rules separating corporate IT networks from SCADA subnets.

• Immediate Audit: Review all corporate and district IP space to identify and take offline any internet-exposed RTKBase installations or auxiliary operational tools.

• Credential Reset: Mandate an immediate password reset for all NTRIP applications, configuration files, billing software, and enterprise access systems.

• Boundary Verification: Inspect firewall logs to verify complete isolation between corporate networks and active SCADA routing zones.

This intelligence briefing is maintained by the Shieldworkz Research and Incident Response divisions.  

Additional reading

Handala Dossier
Shieldworkz 2026 OT Security Report