Cal Water Confirms IT-Only Intrusion After Handala Claims
California Water Service (Cal Water) — one of the largest investor-owned water utilities in the United States, serving approximately 2 million people across California — has disclosed that it was the target of a cyberattack attributed to Handala, an Iranian threat actor with a history of targeting Israeli and Western critical infrastructure. The company stated that a Mandiant-led investigation found no evidence that operational technology (OT) systems controlling water treatment, pumping, or distribution were breached.
The attack drew attention because Handala had publicly claimed the capability to disrupt water supply — a claim that, if true, would represent a significant escalation in Iranian state-linked attacks against U.S. critical infrastructure.
Who Is Handala?
Handala (also tracked as Handala Hack) is an Iranian-affiliated hacktivist group that first gained prominence attacking Israeli organizations following the October 2023 conflict. The group's stated ideology is pro-Palestinian and anti-Western, though its operations are widely assessed by Western intelligence agencies as state-influenced — providing Iran deniability while amplifying pressure on adversaries.
Key Handala characteristics:
- Primarily targets organizations in Israel, the United States, and allied nations
- Favors destructive or psychologically impactful operations (data leaks, ransomware-like wiper deployment, and exaggerated claims designed to generate media coverage)
- Has claimed credit for attacks on Israeli water authorities, airports, and financial institutions — with mixed verification of the actual impact
- Known to exaggerate capability claims to maximize disruption and public fear
The Cal Water incident fits a familiar pattern: real intrusion, inflated capability claims.
What Happened
Cal Water disclosed that it detected unauthorized access to portions of its IT network — the corporate and administrative systems separate from the operational technology networks that directly control physical infrastructure (pumps, valves, SCADA systems, treatment processes).
Mandiant, Google's threat intelligence and incident response arm, was engaged to investigate. Their findings, as reported by SecurityWeek:
- IT systems were accessed — the intrusion was real and confirmed
- No OT systems were compromised — water treatment, distribution, and pumping systems were not accessed or manipulated
- No evidence of capability to disrupt supply — Handala's public claims overstated the actual impact
- Investigation ongoing — full scope of data potentially accessed or exfiltrated from IT systems is still being assessed
The IT/OT Segmentation Question
The Cal Water outcome illustrates why air-gapping or strong segmentation between IT and OT networks is a foundational security control for water utilities and other critical infrastructure operators. Had the OT network been directly routable from the compromised IT environment, the attack could have proceeded into industrial control systems.
Water sector OT environments typically include:
| System | Function |
|---|---|
| SCADA | Supervisory Control and Data Acquisition — monitors and controls field devices |
| PLCs/RTUs | Programmable Logic Controllers / Remote Terminal Units — directly control pumps, valves, chemical dosing |
| HMIs | Human-Machine Interfaces — operator displays |
| Historian servers | Log process data for compliance and analysis |
If an attacker gains access to these systems, the attack surface expands from data theft to physical sabotage — including manipulating chemical treatment levels, disabling pumping stations, or opening/closing critical valves.
How the Segmentation Held (Likely)
While Cal Water has not publicly described its network architecture in detail, the Mandiant finding suggests the OT network was sufficiently isolated that the Handala operators could not pivot from their IT foothold. Common mechanisms that create this barrier:
- Unidirectional security gateways (data diodes) between IT and OT
- No direct IP routing between corporate and control system networks
- Jump servers / privileged access workstations required to access OT environments, with additional authentication factors
- OT network monitoring (e.g., Claroty, Dragos, Nozomi) that would detect anomalous lateral movement
Water Sector Threat Context
The Cal Water incident is not an isolated event. U.S. water utilities have faced an elevated threat environment since 2023:
Recent Incidents
- Aliquippa Water Authority (PA), 2023 — Iranian-linked Cyber Av3ngers compromised an Israeli-made Unitronics PLC, briefly displaying anti-Israel messaging on operator interfaces. No disruption to water supply.
- American Water Works, 2024 — Cyberattack on the largest U.S. water utility led to a shutdown of the customer portal. OT systems reported unaffected.
- Multiple small utilities — CISA has documented ongoing scanning and intrusion attempts against smaller water systems, many of which lack dedicated security staff.
CISA and EPA Guidance
Following the Aliquippa incident and broader sector targeting, CISA and the EPA issued a joint advisory in early 2024 warning that water and wastewater utilities — particularly those using internet-exposed industrial control systems — faced elevated risk from Iranian and Chinese state-linked actors.
Key recommendations from that guidance remain relevant:
1. Disconnect OT/ICS equipment from the public internet
2. Change all default passwords on industrial control systems
3. Implement multi-factor authentication for remote access to OT
4. Conduct regular backups of OT system configurations
5. Maintain an incident response plan specific to ICS/OT environments
6. Subscribe to WaterISAC threat intelligence
What Handala Actually Got
While the OT systems appear secure, the IT intrusion is still significant:
- Customer data — Cal Water serves ~2 million people; billing information, service records, and personal data may have been exposed
- Operational documentation — network diagrams, infrastructure documentation, and IT system configurations accessed from corporate networks could inform future attacks
- Employee data — HR records, credentials, and internal communications
Mandiant's investigation will likely clarify the data exposure scope in a subsequent disclosure. Cal Water is required under California law and federal regulations to notify affected customers if personal information was accessed.
Implications for Critical Infrastructure Security Teams
The Claim-Reality Gap Is Deliberate
Threat actors like Handala intentionally overstate the impact of their operations. The strategic value of claiming the ability to shut off water supplies — even when false — is to erode public trust, generate media coverage, and create psychological pressure on governments. Security practitioners should maintain healthy skepticism about hacktivist impact claims until verified by independent investigators.
IT Compromises Are Not Trivially Separate from OT Risk
Even though OT systems were not breached, an IT-level intrusion at a water utility is not benign:
- Stolen network documentation enables better-targeted future OT attacks
- Compromised employee credentials could be used in spear-phishing against OT operators
- Customer data exposure creates regulatory and legal liability
The incident should be treated as a near miss that reveals the importance of IT-OT segmentation — not as a clean bill of health.
Patching Internet-Facing Systems Remains Critical
Water utilities frequently run aging infrastructure, and the initial access vector in many water sector intrusions has been unpatched internet-facing systems. Maintaining visibility into what is internet-exposed and keeping it patched is non-negotiable.
References
- SecurityWeek: Cal Water Finds No Evidence of OT Activity After Handala Claims
- CISA: Water and Wastewater Systems Sector Resources
- WaterISAC
- EPA Cyber Security Guidance for the Water Sector
Published: June 25, 2026