California Water Service (Cal Water), one of the largest investor-owned water utilities in the United States, has confirmed that its operational technology (OT) environment remained unaffected following a cyberattack claimed by the Iranian-linked threat group known as Handala. The assessment was conducted with support from cybersecurity firm Mandiant, part of Google Cloud, as part of a broader investigation into the incident.
Handala, which presents itself as a hacktivist collective but is widely assessed by security researchers to be linked to Iranian state-backed cyber operations, previously claimed it had gained access to industrial control systems (ICS) and could have disrupted water supply infrastructure. The group also leaked approximately 5 GB of data, alleging it was stolen from Cal Water systems, raising concerns about potential intrusion into critical infrastructure environments.
However, investigators found no evidence that the attackers accessed OT systems or industrial control systems responsible for water operations. Instead, the breach was limited to unauthorized access of a small number of user accounts tied to third-party service providers. In one instance, attackers accessed a single customer’s online account using stolen credentials, but Cal Water confirmed that this account did not provide access to billing systems or sensitive financial data.
The investigation also found that a separate external third-party platform—used for GPS location correction—was accessed, though it did not contain sensitive or confidential information. While some leaked files included personal information and indications of potential access to customer-facing applications, there was no evidence of compromise within Cal Water’s core IT infrastructure or operational systems.
Cybersecurity experts note that water utilities remain high-value targets for threat actors due to legacy infrastructure and increasing digital connectivity. However, this case underscores the importance of distinguishing between claims made by attackers and verified forensic findings during incident response investigations.
