An Iran-aligned hacking group known as Handala has claimed responsibility for breaching California water utility systems, framing the operation as direct retaliation for US airstrikes that destroyed drinking water infrastructure in southern Iran.
The group published its claim on X, releasing what it says are screenshots of internal operational dashboards, customer billing records, authentication logs, and GPS monitoring interfaces belonging to California water facilities. The statement appeared on Handala's public leak site under the headline 'From Sirik to California: Handala Hits Back at America's Water.'
Notably, the group stated it chose to hold back from causing actual disruption. The group alleged that its cyber team had compromised California water facilities. Still, it asserted it chose not to disrupt water services, framing the operation as a warning to Washington.
The released screenshots purportedly reference California locations including Chico, Bakersfield, Visalia, Salinas, Stockton, and San Mateo, and allegedly display customer account records, payment histories, billing information, service addresses, and authentication activity.
The hack claim comes just two days after US strikes on June 10, damaged two water reservoirs in the southern Iranian port town of Sirik, leaving approximately 20,000 residents without access to safe drinking water during a heat wave, with regional temperatures climbing between 45-degrees and 50-degrees.
Iran's Foreign Ministry spokesman condemned the strikes as a 'calculated war crime,' stating that the US had 'deliberately struck vital civilian water infrastructure in Sirik, Hormozgan, destroying two reservoirs with a combined capacity of 2,500 cubic meters' that supplied drinking water to more than 20,000 residents across ten villages.
In its statement, Handala referenced Stuxnet, the malware operation widely associated with efforts to sabotage Iran's nuclear program, claiming that attacks against Iranian interests would no longer go unanswered.
Handala is widely regarded by security researchers as more than a simple hacktivist collective. Threat intelligence firm FalconFeeds.io describes the group as a 'faketivist' operation, while cybersecurity sources track it under names including Banished Kitten, Storm-0842, and Void Manticore, and assess it to be run out of Iran's Ministry of Intelligence. The group most recently claimed responsibility for a March 2026 attack on medical device maker Stryker, which it said triggered simultaneous factor resets on over 200,000 corporate devices across 79 countries.
The incident marks an escalation in the pattern of cyber operations tied to the broader US-Iran conflict, which began in earnest following the end of direct fighting between Israel and Iran in June 2025, with Handala's activity illustrating how Tehran uses cyberattacks to replace or supplement military capabilities.
