Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: handala (2 articles)Clear

Iran-linked Handala steals data from California water utility Cal Water

The Iran-linked group Handala claims it breached California Water Service (Cal Water), one of the largest US investor-owned water utilities, and published a 5GB sample to prove it. Analysts say the attackers reached a customer billing database holding personal data (names, addresses, account and payment details) and an internal GPS-correction server, leaking administrative credentials in the process. Handala framed the attack as retaliation for US actions against Iran and boasted it could disrupt water supply, but researchers stress the evidence does not support that claim, neither system controls water treatment, and the group is known to exaggerate. Cal Water has not yet publicly confirmed the incident.

Check
Water and other critical-infrastructure operators should verify strict isolation between IT and operational-technology networks, and review access logs and exposed credentials on internet-facing billing and GPS or telemetry systems.
Affected
California Water Service customers whose billing data was exposed, and the utility's internal GPS-correction systems; the broader US water sector faces heightened Iran-linked targeting per CISA warnings.
Fix
Rotate all exposed credentials and take the affected GPS server offline to audit it, enforce phishing-resistant MFA on privileged accounts, segment IT from OT, and report to CISA and WaterISAC.

Iran operating like a criminal actor, ex-NSA director says - opportunistic credentials and amplification, not novel exploits

At the Asness Summit in Nashville on April 24, former NSA director Tim Haugh and Mandiant founder Kevin Mandia argued Iran's current cyber posture more closely resembles a criminal actor than a sophisticated APT - reliant on dark-web-purchased credentials, basic security gaps, and information operations to amplify modest intrusions. They cited the March 11 Stryker attack as the template: no malware, no zero-day, just legitimate credentials used to abuse MDM and delete data the attacker had permission to delete. Mandia's CISO advice: assume valid credentials for your staff are already on sale and build detection around their misuse.

Check
Run a credential-monitoring service against your domain this week and put alerts in place for impossible-travel and unusual-MDM-action patterns on admin accounts.
Affected
Any organization with US or Israeli ties, plus their suppliers and contractors, fits the Iranian targeting profile. Acute risk: organizations where MDM, RMM, or any endpoint-management platform can issue destructive commands without out-of-band approval; environments without credential-monitoring services watching dark-web markets for staff logins.
Fix
Subscribe to a credential-monitoring service (HaveIBeenPwned Enterprise, SpyCloud, Flare) and alert on staff credentials surfacing in stealer logs. Require step-up auth on any MDM or RMM destructive action (wipe, uninstall, mass-deploy). Brief comms staff that any Iran-claimed breach should be verified before public response - operators routinely overclaim to amplify modest access.