The Iran-linked group Handala claims it breached California Water Service (Cal Water), one of the largest US investor-owned water utilities, and published a 5GB sample to prove it. Analysts say the attackers reached a customer billing database holding personal data (names, addresses, account and payment details) and an internal GPS-correction server, leaking administrative credentials in the process. Handala framed the attack as retaliation for US actions against Iran and boasted it could disrupt water supply, but researchers stress the evidence does not support that claim, neither system controls water treatment, and the group is known to exaggerate. Cal Water has not yet publicly confirmed the incident.
At the Asness Summit in Nashville on April 24, former NSA director Tim Haugh and Mandiant founder Kevin Mandia argued Iran's current cyber posture more closely resembles a criminal actor than a sophisticated APT - reliant on dark-web-purchased credentials, basic security gaps, and information operations to amplify modest intrusions. They cited the March 11 Stryker attack as the template: no malware, no zero-day, just legitimate credentials used to abuse MDM and delete data the attacker had permission to delete. Mandia's CISO advice: assume valid credentials for your staff are already on sale and build detection around their misuse.