The headlines on June 12th were hard to ignore: Iranian hackers breach California water systems. By the time most security teams read them, Handala/VOID MANTICORE had already accomplished its primary objective.
That objective was not to disrupt water service. The group said so openly, framing the intrusion as a warning to the White House while U.S. military strikes on water reservoirs in the Iranian port town of Sirik, which reportedly cut drinking water access for more than 20,000 residents during a heat wave, were still front-page news. Strike Iran’s water; post screenshots of California’s bills. The symmetry was the message.
What the breach actually exposed is more instructive than the framing suggests.
What Handala Compromised
Threat intelligence firm Dataminr, reporting through SecurityWeek, assessed that Handala’s likely entry point was an exposed RTKBase instance belonging to California Water Service (Cal Water). RTKBase is a real-time kinematic (RTK) GPS correction platform, used in field operations to enable precision positioning of survey equipment and infrastructure crews. Cal Water’s instance had been running continuously for approximately 783 hours at the time of access, streaming correction data across all seven identified district mountpoints via the Networked Transport of RTCM via Internet Protocol (NTRIP) service.
From there, Dataminr places the pivot into Cal Water’s customer billing database, from which the group exfiltrated roughly 5 gigabytes of data: names, addresses, phone numbers, account numbers, payment histories, administrative credentials for the RTKBase platform, and mountpoint-level NTRIP passwords. The threat actor also enumerated IP addresses across all seven of Cal Water’s districts through the NTRIP network.
Cal Water, one of the largest investor-owned water utilities in the U.S. with approximately two million customers across 100 communities in California, told SJV Water: “We have conducted a preliminary scan of our internal IT and OT networks and have no signs of any compromise within our IT, water production, and delivery systems at this time.”
Handala claimed more than that, asserting the ability to shut off water access while choosing restraint as a political gesture. Sean Malone, CISO at BeyondTrust, was direct: “Handala has a record of overstating its capabilities. The boast about choosing to spare the water supply reads as the psychological operation itself.”
He’s right. That doesn’t mean the structural question the boast gestures at can be set aside.
Knowing the Adversary: Handala’s Playbook
Handala / Handala Hack is not a freelance hacktivist operation. This Iran-linked threat actor is tied to Iran’s Ministry of Intelligence and Security (MOIS) and tracked under additional aliases and public-facing personas including VOID MANTICORE, Storm-0842, Red Sandstorm, Homeland Justice, and Banished Kitten. The group has been active since at least 2008.
Handala is not a quiet collection operation. The group runs data exfiltration alongside destructive payload deployment and information operations, often within the same campaign cycle. Their toolkit includes ROADSWEEP ransomware, the BiBi Wiper, and tools built specifically for this group like the Handala Wiper and the Hamsa Wiper. Credential harvesting via Mimikatz, lateral movement through Impacket, and Telegram-based command-and-control infrastructure round out the established TTP set.
Initial access follows a recognizable pattern: exploitation of public-facing applications, credential stuffing, phishing, and abuse of legitimate remote access infrastructure. In the Cal Water case, an internet-accessible operational support system served as the entry point. That maps directly to what Nozomi Networks Labs observed as the dominant early-stage pattern in its March 2026 analysis of Iranian APT activity: default credential abuse and valid account usage combined with internal scanning, “quietly mapping environments to identify high-value assets and establish persistence before escalating to disruptive or destructive tactics.”
The credentials in that 5GB dump are live. The IP address map of Cal Water’s infrastructure across seven districts, compiled through NTRIP enumeration, is reconnaissance material for a follow-on operation. The initial claim may be step one.
The OT Gap: Reading the Incident Against the Sector Pattern
The November 2023 campaign against the Municipal Water Authority of Aliquippa, Pennsylvania by another Iran-linked actor CyberAv3ngers is the useful comparison. IRGC-affiliated actors breached a booster pump station by exploiting internet-exposed Unitronics Vision Series programmable logic controllers (PLCs) directly. CyberAv3ngers reached the OT layer because those devices were reachable from the internet with no authentication barrier. CISA’s joint advisory (AA23-335A) documented how actors in that campaign replaced ladder logic with custom files, renamed devices to obstruct owner access, and disabled upload and download functions. That is OT-layer access with operational consequences.
In the Cal Water incident, the OT layer was apparently not accessed. Why the intrusion stopped at the billing environment is not confirmed. It may reflect effective IT-OT segmentation, a deliberate operational choice consistent with their stated goal of a warning rather than disruption, or simply the scope of what the RTKBase access vector opened. Handala’s claim of restraint is part of the psychological operation and should not be taken at face value, but attributing the outcome to defensive architecture we cannot verify would be equally unwarranted.
This intrusion fits a well-documented progression. Nozomi Networks Labs research shows that attacks which eventually reach OT environments often begin in IT systems and at network edges, not inside the OT layer. Initial intrusions enter through internet-facing firewalls, VPN gateways, and remote access infrastructure; adversaries then move through IT before any OT access is attempted, with HMIs, engineering workstations, and historians as the first OT-adjacent targets, not the PLCs and RTUs deeper in the process network. The RTKBase entry point sits at exactly the start of that path.
Nozomi Networks Field CISO Markus Mueller, commenting on the pattern of Iranian actors targeting internet-exposed OT devices in April 2026, put it plainly: “The public exposure of these OT devices creates a vast attack surface that a motivated and capable adversary can exploit.” On why that exposure persists: organizations are “either unaware they’re connected or they underestimate the risk.”
Iranian Activity: Surges, Outages, and What the Pattern Reveals
Nozomi Networks Labs has been tracking Iranian APT activity through the current conflict. During an earlier escalation phase in 2025, our telemetry documented a 133% spike in Iran-linked attack activity against U.S. organizations, concentrated in transportation and manufacturing sectors. Following Operation Lion’s Roar and the current escalation, Nozomi Labs again observed a systematic increase in activity from Iran-linked APT groups as of March 2026. Our researchers also kept a close eye on them targeting critical OT infrastructure in April, making sure we provide adequate visibility associated with it to our customers.
The picture has not been uniform. SafeBreach documented a concrete data point: the Iranian threat group Infy stopped maintaining its C2 servers on January 8, 2026, the same day the Iranian government imposed a country-wide internet shutdown, and resumed on January 26, one day before restrictions were lifted. SafeBreach VP of Security Research Tomer Bar noted this “likely suggests that even government-affiliated cyber units did not have the ability or motivation to carry out malicious activities within Iran” during the outage. The American Security Project observed the same broader pattern, noting that “internet blackouts…have diminished the near-term threat from state-operated groups in Iran.”
Actors with pre-positioned infrastructure outside Iran continue regardless of domestic connectivity. But some portion of Iranian state-affiliated operations, including MOIS-linked groups, depend on connectivity within the country itself. The threat is real and the trajectory is upward, but it fluctuates with conditions inside Iran in ways that do not apply to most other nation-state threat actors.
That context does not change the risk calculus for water utilities. The sector’s exposure is not uniform across the roughly 152,000 public drinking water systems in the United States, per CISA figures. Utilities with internet-facing OT devices, flat networks without IT-OT segmentation, and unchanged default credentials on PLCs and HMIs remain at risk of an Aliquippa-type outcome regardless of where any given week falls on the Iranian APT activity curve.
Security Priorities for Water Utilities
The water sector runs lean. Most utilities operate with thin IT teams and capital budgets built around infrastructure, not security tooling. The recommendations have to fit those constraints.
Find your internet-facing OT. Run your external IP ranges through Shodan. In a water context: Modbus TCP (port 502) and DNP3 (port 20000) are the primary exposure vectors, particularly common where utilities route SCADA telemetry to remote pump stations and lift stations over cellular or internet backhaul rather than dedicated links. EtherNet/IP (port 44818) warrants attention wherever Rockwell/Allen-Bradley PLCs are deployed, which covers most of North American water. Web-based HMIs on 80/443 are the sector’s fastest-growing exposure class; EPA and CISA issued a joint advisory specifically on this in December 2024. NTRIP (port 2101) is directly implicated in this incident. If BACnet (47808) turns up, it’s building automation, but its presence on an external interface is a reliable indicator of flat network architecture worth investigating regardless. Anything resolving from your external ranges gets taken offline or placed behind a DMZ, MFA, and IP allowlisting.
Rotate credentials on field and operational support systems. The credentials Handala exfiltrated are live. Any utility running RTKBase, NTRIP infrastructure, or similar platforms should rotate administrative passwords and review which internal resources those systems can access. CISA advisory AA23-335A specifically names unchanged default credentials on PLCs and HMIs as a primary IRGC attack enabler.
Enable MFA on everything internet-facing. VPN gateways, engineering workstation remote access, administrative portals. Most platforms support it natively; it removes credential stuffing as a viable entry path.
Segment OT from IT. A billing database and a SCADA historian for pump station telemetry should not share a flat network. Full segmentation takes time, but a deny-by-default firewall policy between your IT DMZ and the OT network is a meaningful first barrier. CISA’s Cyber Performance Goals for water and wastewater utilities provide a free, tiered framework for sequencing the work.
Monitor OT network communications and close your highest-exploitability vulnerabilities. Passive monitoring of Modbus, DNP3, and EtherNet/IP traffic within the OT segment, baselining communication patterns between the SCADA master, RTUs, and PLCs, provides anomaly detection without disruption risk. A SCADA master opening sessions to hosts it has never polled, or unexpected function codes on a sensor segment, are visible in packet data well before they escalate. For vulnerabilities, use CISA’s Known Exploited Vulnerabilities (KEV) catalog and ICS-CERT advisories against your specific equipment families as the prioritization lens. Isolation reduces exposure but does not relieve patch urgency. Once inside an OT segment, unpatched firmware on PLCs and RTUs is the next foothold. CyberAv3ngers showed in 2023 how quickly an attacker can move from an exposed device to modified ladder logic.
Join WaterISAC. WaterISAC provides sector-specific threat intelligence and active-campaign notifications. During periods of heightened geopolitical activity, intelligence is faster and more relevant than general-purpose feeds.
Build a logging baseline. Centralize authentication logs from firewall, VPN, and identity systems. The lateral pivot from RTKBase to the billing environment in this incident would have been visible as anomalous authentication between two otherwise-separate systems. Hours versus weeks matter here.
The Window Matters
Cal Water’s preliminary assessment held: the water didn’t stop. The credentials Handala exfiltrated and the network topology they mapped did not produce OT disruption in this incident.
It is not a reason to stand down. A group that enumerates seven districts, exfiltrates administrative credentials, and frames the breach as a warning has not finished operating. Nozomi Networks Labs’ March 2026 advisory noted that the early-stage reconnaissance pattern from Iranian APTs, characterized by credential abuse and quiet internal mapping, represents a time-limited window for defenders: “Organizations that respond decisively during this reconnaissance phase are far more likely to prevent future escalation.”
Nozomi Networks provides passive OT asset discovery and continuous anomaly detection purpose-built for the OT environment, threat intelligence mapped to Iranian APT TTPs including Handala/VOID MANTICORE, and the visibility layer that makes every other part of the response possible. See how these capabilities work in practice by requesting a personalized demo of the Nozomi Networks platform.
.webp)
