What Actually Happened at California Water Service?
When the Iranian-linked hacker group Handala claimed it had gained deep access to California Water Service (Cal Water) systems — and could have disrupted the water supply for millions of residents but chose not to — the announcement triggered immediate alarm across the critical infrastructure cybersecurity community. Claims of access to industrial control systems (ICS) by a state-affiliated threat actor are never taken lightly. But after an independent forensic investigation led by Google's Mandiant unit, the reality proved to be more nuanced — and in some ways, more instructive — than the hackers' provocative statements suggested.
Cal Water, one of the largest investor-owned water utilities in the United States, confirmed that Mandiant's investigation found no evidence of threat actor activity within its internal IT or operational technology (OT) environments. The breach was real, but its scope was significantly narrower than Handala claimed. According to Cal Water's official statement to SecurityWeek, "the threat actor activity was limited to unauthorized access to a small number of specific user accounts within two third-party service provider platforms." No payment data was compromised, no billing systems were breached, and critically, no industrial control systems were touched.
Who Is Handala — And Why Should Security Teams Care?
Handala presents itself as a hacktivist collective, but cybersecurity analysts and intelligence researchers widely consider it to be a front for Iranian government-directed hacking operations. The group has previously targeted Israeli and Western infrastructure, positioning its activities within the broader context of Iranian cyber operations that have accelerated significantly in recent years. The name itself is a reference to a well-known political cartoon character representing Palestinian resistance — a clear attempt to frame attacks in ideological terms while obscuring state sponsorship.
The group leaked approximately 5 GB of data allegedly taken from Cal Water systems. Analysts examining the published files identified personal information and found indications that a customer billing system and an internal application may have been involved. However, Mandiant's subsequent investigation clarified that access to the billing system itself was not established. The threat actor accessed one active customer's online Cal Water account using stolen credentials — but that account did not provide access to billing infrastructure or payment data.
Additionally, Handala accessed an external, third-party website related to a GPS location correction tool. While this sounds alarming — GPS correction tools are used in precision surveying and utility field operations — Cal Water confirmed that the website in question does not contain any confidential or sensitive information. The gap between Handala's claims and the forensic reality is telling: this appears to be a deliberate influence operation designed to exaggerate impact and sow public distrust in utility security.
"State-affiliated groups like Handala understand that the psychological impact of claiming access to water or power infrastructure can be just as damaging as an actual disruption — particularly when critical infrastructure operators haven't yet completed their investigations."
— Cybersecurity analyst perspective on influence-driven ICS threat campaignsWhy Critical Infrastructure Cybersecurity Remains a Systemic Vulnerability
Even though Cal Water's OT environment emerged uncompromised in this instance, the incident shines a spotlight on a structural problem that security professionals, policy makers, and IT decision-makers across Europe and North America have been grappling with for years: water utilities and other critical infrastructure operators are disproportionately reliant on legacy systems, underfunded security programs, and third-party vendors with inconsistent security postures.
According to research published by the Cybersecurity and Infrastructure Security Agency (CISA), water and wastewater systems represent one of the most targeted sectors in critical infrastructure, yet many operators run SCADA and ICS environments that were designed decades before modern cybersecurity frameworks existed. These systems were built for reliability and longevity, not for network security. Retrofitting them with contemporary defenses — network segmentation, zero-trust architecture, OT-specific endpoint detection — is technically complex and financially burdensome for utilities operating on thin margins.
The SANS ICS Security Survey has consistently highlighted that a significant proportion of water utilities lack dedicated OT security staff, rely on air-gapped systems as their primary defense (a posture increasingly undermined by remote access requirements introduced during and after the pandemic), and have limited visibility into what third-party vendors can access on their behalf. The Cal Water incident demonstrates exactly how this third-party attack surface can be exploited — even when the core OT environment remains isolated.
The Third-Party Vendor Problem: A Blind Spot in OT Security Strategy
The most operationally significant finding from the Cal Water investigation is not what the hackers accessed, but where they gained entry: third-party service provider platforms. This is not a new attack vector — it is, in fact, one of the most persistent and difficult-to-mitigate risks in enterprise and critical infrastructure security alike. From the SolarWinds supply chain attack to the MOVEit file transfer breaches documented by cybersecurity researchers at Mandiant and CrowdStrike, the pattern is consistent: sophisticated threat actors target the weakest link in the vendor ecosystem rather than attempting to breach hardened primary environments directly.
For IT decision-makers and security architects evaluating their own exposure, the Cal Water case provides a useful framework for thinking about vendor risk. The compromised accounts were accessed using stolen credentials — which means multifactor authentication (MFA), privileged access management (PAM), and credential monitoring should be baseline controls applied not just internally, but enforced contractually across all third-party platforms that touch any part of a utility's operational data environment.
The European approach to this problem is instructive. Under the EU's NIS2 Directive — which came into force in October 2024 and applies to operators of essential services across member states — organizations are now legally required to address supply chain security as part of their cybersecurity risk management obligations. This includes conducting security assessments of vendors, including clauses in contracts that mandate breach notification and security standards, and maintaining visibility over what access third parties hold. While NIS2 is a European regulatory instrument, its framework offers a compelling model for critical infrastructure operators globally who are navigating similar third-party risk challenges.
| Attack Vector | Cal Water Finding | Recommended Control |
|---|---|---|
| Stolen user credentials | Confirmed — one customer account accessed | MFA enforcement, credential monitoring |
| Third-party platform access | Confirmed — two platforms breached | Vendor access audits, contractual security requirements |
| Internal IT environment | No evidence of access | Network segmentation, zero-trust architecture |
| OT/ICS environment | No evidence of access | OT/IT air gap, ICS-specific monitoring tools |
| Billing/payment systems | No compromise confirmed | Least-privilege access, data classification |
When Cyberattacks Become Information Operations: The New Threat Model
One of the most underappreciated dimensions of the Cal Water incident is how it illustrates the convergence of cyberattacks and influence operations. Handala did not simply conduct a breach — it made a public announcement designed to maximize fear and uncertainty. By claiming the ability to disrupt water supplies but framing the restraint as a deliberate choice, the group sought to demonstrate both capability and control: a psychological warfare posture that is increasingly common among state-affiliated threat actors.
This tactic is documented extensively in threat intelligence reporting from organizations including the Atlantic Council's Cyber Statecraft Initiative and the Recorded Future threat intelligence team, which have tracked Iranian cyber operations evolving from purely destructive attacks toward hybrid campaigns that combine data theft, disinformation, and infrastructure intimidation. For policy professionals and government partners engaged with utility security, this means that incident response frameworks need to account not just for technical remediation, but for rapid public communications strategies that can counter exaggerated attacker claims before they erode public confidence in essential services.
Cal Water's response — hiring Mandiant, coordinating with state and federal government partners, and publishing a detailed public statement — represents a model for how utilities should handle the communications dimension of such incidents. The transparency helped neutralize the psychological impact of Handala's claims by providing factual, authoritative context in a timely manner.
Key Lessons for IT Decision-Makers and Security Professionals
For developers building systems that interface with utility infrastructure, security architects designing OT environments, and policy professionals crafting regulatory frameworks, the Cal Water case distills into several actionable takeaways that extend well beyond the water sector.
Third-party access is your attack surface too. The compromise occurred not through a sophisticated zero-day exploit against Cal Water's hardened systems, but through stolen credentials on external platforms. Every third-party integration, vendor portal, and external-facing service that touches your operational data is a potential entry point. Continuous vendor security assessments and enforced MFA across all integrated platforms are non-negotiable baseline controls.
OT/IT segmentation continues to hold value — when properly implemented. The fact that Cal Water's OT environment remained uncompromised despite the broader breach suggests that meaningful network segmentation between IT and OT systems was in place. This is not universally true across the water sector. CISA's advisories on water system security consistently emphasize the need for strict OT/IT network separation, and this incident demonstrates why that investment is worth maintaining even as it creates operational friction.
Incident response must include communications strategy. Handala's influence operation component was nearly as significant as the technical breach. Organizations facing similar campaigns need pre-prepared public communication playbooks that can be activated rapidly to provide factual context, coordinate with government partners, and prevent attacker narratives from filling the information vacuum.
Credential hygiene is still a first-order problem. The initial access vector in this case was stolen user credentials — a reminder that despite years of awareness campaigns, phishing-resistant MFA, password managers, and credential monitoring tools remain inconsistently deployed, particularly in customer-facing portals at large utility operators. For
Originally reported by Security Week. Summarised and curated by European Purpose.
