ctipilot.ch

Handala (Void Manticore) breaches California Water Service via internet-exposed RTKBase NTRIP/GNSS caster; billing PII pivot, no OT access

incident · incident:cal-water-handala-rtkbase-gnss-2026

Coverage timeline
1
first 2026-06-15 → last 2026-06-15
Briefs
1
1 distinct
Sources cited
8
6 hosts
Sections touched
1
active_threats
Co-occurring entities
2
see Related entities below

Story timeline

  1. 2026-06-15CTI Daily Brief — 2026-06-15
    active_threatsFirst coverage. Iran-aligned Handala harvested NTRIP mountpoint creds from a public RTKBase instance (~783h exposed) and pivoted to ~2M-customer billing DB; Dataminr/Cal Water confirm no OT/ICS access. Transferable lesson: internet-exposed GNSS/NTRIP attack surface for CH/EU water/utility operators. T1190->T1078->T1021.

Where this entity is cited

  • active_threats1

Source distribution

  • attack.mitre.org3 (38%)
  • dataminr.com1 (12%)
  • securityaffairs.com1 (12%)
  • securitymagazine.com1 (12%)
  • securityweek.com1 (12%)
  • helpx.adobe.com1 (12%)

Related entities

All cited sources (8)

Items in briefs about Handala (Void Manticore) breaches California Water Service via internet-exposed RTKBase NTRIP/GNSS caster; billing PII pivot, no OT access (1)

Handala breaches California Water Service through an internet-exposed RTKBase GNSS platform — billing PII for ~2M customers leaked, no OT access

From CTI Daily Brief — 2026-06-15 · published 2026-06-15 · view item permalink →

Iran-aligned group Handala — widely assessed as a front for the Void Manticore / Storm-0842 cluster and attributed to Iran's MOIS (MITRE tracks the group as G1055) — claimed compromise of California Water Service (Cal Water), one of the largest US investor-owned water utilities, and published a ~5 GB proof dump on its Telegram blog around 11 June (SecurityWeek, 2026-06-12; Security Affairs, 2026-06-12). The dump comprised customer billing PII (names, addresses, payment histories) across at least seven service districts, plus administrative credentials for the utility's internal RTKBase NTRIP caster — an open-source GNSS base-station platform that supplies precision-GPS corrections to field crews. The access path is the notable part: rather than attacking the OT environment, Handala exploited an internet-exposed RTKBase instance (reported online ~783 hours without credential rotation), harvested the mountpoint-level NTRIP source password, and pivoted laterally to the customer billing database (Security Magazine, 2026-06-12).

Independent analysis tempers the actor's framing. Dataminr assessed that Handala reached only a GPS-correction server and a billing database — "neither system controls water treatment or distribution" — and that no OT/ICS disruption is confirmed in this incident (Dataminr, 2026-06-11; Security Magazine, 2026-06-12). The attack maps to T1190 (Exploit Public-Facing Application) for the initial RTKBase reach, T1078 (Valid Accounts) for the harvested NTRIP credentials, and T1021 (Remote Services) for the lateral pivot into the billing segment — the pivot from a GNSS-correction host to a customer-data store is itself evidence of a segmentation gap between the surveying/IoT layer and the IT data plane.

Why it matters to us: RTKBase and other NTRIP casters are deployed by water utilities, energy operators, municipal public-works departments and survey contractors across Switzerland and the EU — the exact public-sector-adjacent estate this brief tracks — and the access vector (an internet-facing GNSS service on default/stale credentials) is generic and replicable. Audit your external attack surface for internet-exposed RTKBase/NTRIP/GNSS and industrial-IoT instances; place any behind MFA-enforced VPN/ZTNA; rotate NTRIP mountpoint passwords; and validate segmentation between the GNSS/IoT layer and billing/IT systems. Detection concept: alert on NTRIP caster authentication from non-field-crew source addresses and on any east-west traffic from a GNSS-correction host into customer-data subnets.