Handala breaches California Water Service through an internet-exposed RTKBase GNSS platform — billing PII for ~2M customers leaked, no OT access

Iran-aligned group Handala — widely assessed as a front for the Void Manticore / Storm-0842 cluster and attributed to Iran's MOIS (MITRE tracks the group as G1055) — claimed compromise of California Water Service (Cal Water), one of the largest US investor-owned water utilities, and published a ~5 GB proof dump on its Telegram blog around 11 June (SecurityWeek, 2026-06-12; Security Affairs, 2026-06-12). The dump comprised customer billing PII (names, addresses, payment histories) across at least seven service districts, plus administrative credentials for the utility's internal RTKBase NTRIP caster — an open-source GNSS base-station platform that supplies precision-GPS corrections to field crews. The access path is the notable part: rather than attacking the OT environment, Handala exploited an internet-exposed RTKBase instance (reported online ~783 hours without credential rotation), harvested the mountpoint-level NTRIP source password, and pivoted laterally to the customer billing database (Security Magazine, 2026-06-12).

Independent analysis tempers the actor's framing. Dataminr assessed that Handala reached only a GPS-correction server and a billing database — "neither system controls water treatment or distribution" — and that no OT/ICS disruption is confirmed in this incident (Dataminr, 2026-06-11; Security Magazine, 2026-06-12). The attack maps to T1190 (Exploit Public-Facing Application) for the initial RTKBase reach, T1078 (Valid Accounts) for the harvested NTRIP credentials, and T1021 (Remote Services) for the lateral pivot into the billing segment — the pivot from a GNSS-correction host to a customer-data store is itself evidence of a segmentation gap between the surveying/IoT layer and the IT data plane.

Why it matters to us: RTKBase and other NTRIP casters are deployed by water utilities, energy operators, municipal public-works departments and survey contractors across Switzerland and the EU — the exact public-sector-adjacent estate this brief tracks — and the access vector (an internet-facing GNSS service on default/stale credentials) is generic and replicable. Audit your external attack surface for internet-exposed RTKBase/NTRIP/GNSS and industrial-IoT instances; place any behind MFA-enforced VPN/ZTNA; rotate NTRIP mountpoint passwords; and validate segmentation between the GNSS/IoT layer and billing/IT systems. Detection concept: alert on NTRIP caster authentication from non-field-crew source addresses and on any east-west traffic from a GNSS-correction host into customer-data subnets.