Iran hackers claim breach of California systems in retaliation for hit on water facilities

Iran hackers claimed that they breached California water systems today in retaliation for alleged U.S. strikes that damaged civilian water infrastructure in southern Iran.

Iran state broadcaster IRIB said Wednesday that U.S. missiles damaged water facilities that serve residents in Sirik county in Hormozgan province, located on the coast of the Strait of Hormuz. A New York Times analysis said evidence suggests that drinking water storage structures were hit, though it was not known if the strike was intentional. A U.S. Central Command spokesman said the reports were under review.

Iran’s ISNA news agency said water was restored to area residents after about half a day.

In a statement posted on their Telegram channel, the Handala hacking group claimed “retribution has reached the heart of America” as “California’s water facilities have been hacked by Handala’s cyber team.”

They posted images of what appeared to be system logs related to the Bay Area city of San Mateo, Calif., followed by more logs and a Cal Water bill bearing the name and address of a customer in Chico, which is north of Sacramento.

While Handala claimed the unverified breaches, they also asserted that they didn’t tamper with water services. “We could have easily cut off the water to American cities just as your foolish president did” but chose not to, the hackers claimed.

“This is not 2010, when you could attack with Stuxnet and suffer no consequences,” the hacking group added in a message directed at the U.S. government. “Today, every assault will be met within hours by a far more devastating blow to your own infrastructure, this is your warning.”

Three days before the April 8 ceasefire began, Handala claimed that they were poised to inflict water, electricity and oil sector attacks on the United States and its allies of a caliber to “send your lives back to the Middle Ages” if the U.S. hit Iran’s power grid, as President Donald Trump threatened.

Handala, a hacking group linked to the Iranian government, claimed credit for a massive wiper attack on a U.S. medical technology company at the start of the Iran war and, later, the breach of the FBI director’s personal email. The group declared at the time a ceasefire began in early April that although it would not recognize a cessation in hostilities it had still “postponed overt confrontation” with the United States per “highest leadership” orders.

But on Tuesday, Handala said that they assisted the Islamic Revolutionary Guard Corps with pinpointing U.S. targets in response to strikes conducted in retaliation for the earlier downing of a U.S. military helicopter by an Iranian Shahed drone off the coast of Oman.

Underneath an image of a Shahed, the hackers warned, “As Handala revealed the identities of all marines of the terrorist American regime last month, leading to multiple confidential reports in Congress on the matter, the coordinates of all U.S. terrorist military forces in the Persian Gulf countries have now been transferred to the Islamic Revolutionary Guard Corps (IRGC)! Within minutes, you will be ‘welcomed’ by Shahed-136 drones.”

“You started the game; we will determine how it ends,” Handala added.

The IRGC claimed early Wednesday that it launched attacks against more than 20 targets in the region including firing long-range missiles at the U.S. al-Azraq base in Jordan. Jordanian officials said they intercepted five missiles from Iran.

Handala said after the attack that “all critical coordinates and key targets were provided by Handala and delivered to the [IRCG] Aerospace fighters, who with precision and power, struck every designated point.” The group posted a photo that they said showed the name of the hacking group written on a missile destined for U.S. targets.

In early May, Handala claimed in a Telegram post that strikes on Fujairah oil facilities were part of a coordinated cyber-physical offensive with the IRGC targeting the United Arab Emirates port city — “a fully coordinated operation” that began with their breach of port systems and was followed by kinetic attacks “minutes later.”

“This operation once again demonstrates the convergence of cyber and missile warfare on the same battlefield,” the group said. 

On May 21, Handala said that they had detected “preparations for the renewed outbreak of military conflict in the coming days” and would respond to U.S. and Israeli actions with “devastating” widespread attacks targeting energy and IT infrastructure. Handala said they believed more war is coming based on “an investigation into certain covert accesses” into U.S. and Israeli “military and security systems.”

“The joint operations command of the Handala Cyber Command and the Islamic Revolutionary Guard Corps has identified dozens of legitimate targets deep within enemy territory across multiple countries,” the group declared. “At the very opening moments of any conflict, through combined cyber, missile, and drone operations, they will deliver devastating blows to Great Satan.”

After the ceasefire between the U.S. and Iran was announced, Handala said it “continues its cyber operations” against Israeli infrastructure “at full force” despite following orders to suspend “overt” operations against the United States.

“Rest assured: when the time comes, the darkest of nights will have only just begun for America and all its supporters,” the group vowed. Handala also claimed that some of its hackers have been among the war’s death toll.