California water utility probes breach claim by Iran-linked actor

California Water Service is investigating a claim by the Iran-linked threat group Handala that it successfully breached the utility's systems. Although the group released screenshots suggesting access to internal data, the utility reports no operational disruptions to water distribution or billing services. The incident underscores the persistent threat nation-state actors pose to critical water infrastructure in the United States.

California Water Service, the largest water utility in the western U.S., confirmed it is working with forensic investigators and law enforcement to probe a claim made on June 11 by the Iran-nexus group Handala. The utility stated that preliminary results show no disruptions to water systems or customer billing, though they are taking the claim very seriously. Handala reportedly claimed the attack was retaliation for U.S. military operations in Sirik, Iran, but asserted they intentionally avoided disrupting the facility’s water distribution.

Evidence posted by Handala included screenshots purportedly showing access to customer relationship management and billing systems, global navigation satellite systems, and internal credentials. Check Point Research noted that if the information is confirmed, it suggests the hackers accessed the utility’s information technology (IT) systems rather than the operational technology (OT) systems that manage water flow. This distinction is critical for the utility sector, as IT breaches often involve data theft while OT breaches can lead to physical service interruptions.

The disclosure follows a recent report from Utah-based Sage Water Resources, which remediated a March attack by a nation-state actor that compromised its programmable logic controllers. These events align with recent warnings from the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI regarding state-linked threats to water and energy facilities. As federal officials scramble to assess the broader impact on critical infrastructure, the industry is being urged to prioritize secure development practices and robust cybersecurity defenses to mitigate financial and operational risks.