"Nothing in the published evidence supports Handala’s claim that it can shut off water in U.S. cities," said Sean Malone, Chief Information Security Officer at BeyondTrust.
BeyondTrust and Dataminr: breach appears limited to GPS correction and billing systems
BeyondTrust and Dataminr's assessments, summarized by Sean Malone, place the intrusions with Handala inside an internal GPS correction server and a customer billing database. Malone emphasized that "neither system controls water treatment or distribution," and that "OT or ICS disruption is not confirmed in this incident." BeyondTrust's Epic Fury advisory also warns that Handala has a record of overstating capabilities and frames the group's public restraint as part of a psychological operation.
The advisory prescribes a practical response playbook: validate patching on internet-facing systems; enforce phishing-resistant multi-factor authentication (MFA) on privileged accounts; restrict internet exposure of administrative interfaces; and monitor for anomalous outbound transfers. BeyondTrust also described Iran’s cyber proxy ecosystem as operating at "wartime tempo," and noted that more than three months into this campaign the tempo appears to be holding.
Agnidipta Sarkar: credible warning — capability to disrupt OT not shown
Agnidipta Sarkar, Chief Evangelist at ColorTokens, framed Handala's public statements as designed to "generate fear, uncertainty, and media attention." Sarkar noted the group's "flair for operational disruption, data destruction, and publicly publishing the results," and judged that Handala "likely possesses the capability to compromise poorly secured water-sector environments" on the IT side.
Crucially, Sarkar said she found "no indication that they have acquired capabilities to disrupt SCADA systems, PLCs, pump controls, treatment systems or other OT systems," even while acknowledging that "Iranian-affiliated actors have successfully targeted OT systems in the water sector" and so could acquire such capabilities. Her operational recommendation: conduct an immediate Breach Readiness Impact Assessment for OT systems and enforce strict microsegmentation controls to deny lateral movement, using pervasive microsegmentation to provide unified zoning controls and a single pane of control for water-system leadership.
John Gallagher: RTKBase, 5 GB of exfiltrated data, and credential compromises
John Gallagher, Vice President at Viakoo, described the incident as a "warning shot" that stopped short of operational disruption. Gallagher cited Handala's own blog where the group claimed it "chose not to" interrupt water access. Viakoo's analysis indicates the breach was contained to an internal global navigation satellite system (GNSS) platform called RTKBase and a customer billing database; "actual operational technology (OT) or industrial control system (ICS) disruption has not been confirmed."
Gallagher said the actors exfiltrated roughly 5 gigabytes of data — including customer names, addresses, and payment histories — and harvested administrative credentials, mapping infrastructure that "could be weaponized later." He warned that Handala's toolkit includes custom data wipers and Master Boot Record–overwriting capabilities, and pointed to parallels with the Colonial Pipeline incident to illustrate how billing or enterprise systems can become pivot points to operational disruption.
Viakoo's practical guidance is detailed: eliminate pivot points between OT/IoT and corporate networks; enforce strict zero-trust network segmentation; isolate IoT/telemetry/smart infrastructure from business systems; assume shared or default credentials are compromised and immediately enact automated rotation of all administrative passwords; and place internet-facing OT, GNSS, or industrial IoT applications behind MFA VPNs or zero-trust network access (ZTNA) gateways. Gallagher noted attackers enumerated IP addresses and targeted an RTKBase instance that had been continuously online for 783 hours, underscoring the need for external attack-surface audits.
Shane Barney: customer privacy impact and the lesson of lateral movement
Shane Barney, Chief Information Security Officer at Keeper Security, echoed the technical read: "The technical evidence shows a GPS correction network and a customer billing system were compromised, exposing real customer data across multiple districts." Barney stressed that "there is no confirmed access to water treatment controls or operational safety infrastructure," a distinction he said should shape public and security-team assessments.
Barney placed the incident in a larger pattern: "Iran-linked actors have been open about targeting life-sustaining infrastructure for psychological impact, and federal advisories have flagged U.S. water utilities as a priority target." He said the event is illustrative of lateral movement failures — internal systems becoming bridges to customer data — and reiterated foundational controls: credential hygiene, network segmentation, and consistent access controls as immediate priorities for utilities that have not yet hardened those defenses.
What this means for technologists, policymakers, and Cal Water
- Technologists and security teams: implement the practical measures recommended by the experts — patch internet-facing systems, enforce phishing-resistant MFA, rotate administrative credentials automatically, perform external attack-surface audits, and apply strict microsegmentation or zero-trust segmentation between OT and IT.
- Policymakers and regulators: the incident reinforces the characterization of water utilities as a priority target and the "wartime tempo" warning from security advisories; regulators will be watching for enforcement or guidance that reduces internet exposure of OT and improves credential management across the sector.
- Cal Water and other utilities: treat Handala's claim as a credible warning of intent and potential capability, but do not equate it with proof of operational control — immediately review breach readiness for OT reachability, isolate GNSS and telemetry platforms from billing and corporate systems, and assume any shared or default credentials exposed are compromised.
Handala's public restraint — the group's assertion that it "chose not to" disrupt water — may be less reassurance than a strategic pause. The combination of 5 gigabytes of exfiltrated customer data, harvested administrative credentials, a continuously exposed RTKBase instance, and the group's documented destructive toolkit makes this episode a tactical warning: the adversary's reach into IT is clear, and the pathway to OT remains a vulnerability that defenders must close now.
