Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo

California water utility probes breach claim by Iran-linked actor

The group Handala said it attacked one of the nation’s largest water companies.

Published June 17, 2026
David Jones's headshot
Reporter
A pile of rubble with an Iranian flag stuck in it is shown.
An Iranian flag is planted on March 3, 2026, in the rubble of a police station in Tehran, Iran, damaged in airstrikes yesterday. Handala, a state-linked threat group, is claiming credit for a June 2026 attack targeting a California water utility. Majid Saeedi / Stringer via Getty Images

California Water Service said it is investigating claims by an Iran-linked threat group of a cyberattack against the water utility. 

The Iran-nexus group tracked as Handala claimed an attack against the water utility and cautioned that it deliberately avoided any attempt to disrupt the facility’s water distribution, according to Check Point Research. 

Cal Water, the largest water utility in the western U.S., confirmed that a claim was made on June 11. It said it is continuing to investigate. 

“We take cybersecurity and this claim very seriously and are working around the clock to investigate,” a spokesperson told Cybersecurity Dive via email.

After learning of the claim last Thursday, Cal Water officials have been working with forensic investigators as well as federal and state law enforcement. Preliminary results show no operational disruptions to water systems or customer billing, the spokesperson said. 

The group Handala claims the attack was retaliation for recent U.S. military operations in Sirik, Iran, according to Check Point Research. The group also claims it deliberately chose not to disrupt water services at the utility. 

The group posted several screenshots that appear to show customer relationship management and billing systems, global navigation satellite systems, access to customer information and several internal credentials.

Check Point Research said if the posted information is confirmed, it would indicate the hackers gained access to the utility’s information technology systems and not the operational technology systems that could control water distribution.  

The disclosure came just days after a Utah-based water utility said it had recovered from a March attack on its facilities. Sage Energy Partners last week said it had remediated systems at its Sage Water Resources facility, which operates a salt-water disposal facility in Duchesne, Utah. 

The company said an investigation found that a sophisticated nation-state threat actor compromised the programmable logic controllers automation system at the facility. Sage officials said the attack was consistent with a wider campaign targeting critical infrastructure across the U.S.

As previously reported, the Cybersecurity and Infrastructure Security Agency and the FBI previously issued an advisory warning of a threat to water and energy facilities by state-linked hackers. The agencies confirmed that multiple sites had been attacked, leading to disruption and financial impacts. 

Handala is considered one of the most notorious threat actors linked to Iran. The group claimed credit for a March attack against medical device maker Stryker.

Federal officials seized domains linked to Handala after the group used various websites to publicize attacks and target political dissidents.

Filed Under: Strategy, Threats

Editors' picks

Company Announcements

View all | Post a press release
Blackpoint Cyber Appoints Former CIA Operations Officer to Lead Adversary Pursuit Group
From Blackpoint Cyber
June 16, 2026
Blackpoint Cyber logo
AppViewX Launches Agent Identity Security to Govern Agents for the AI and Quantum Era
From AppViewX
June 16, 2026
AppViewX logo
DeVry University Earns Top 12 National Ranking in Spring 2026 National Cyber League Competition
From DeVry University
May 28, 2026
DeVry University logo
Editors' picks
Latest in Strategy
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell