Iranian hackers linked to Tehran spy agency behind LA transit breach, Israeli researchers say
Israeli cybersecurity firm Gambit Security says forensic evidence ties a pro-Iranian persona to the theft of 700 gigabytes of data from LA Metro
The Tel Aviv-based cybersecurity firm Gambit Security has linked a destructive hacking campaign to Iran's Ministry of Intelligence and Security. The campaign targeted organizations across four countries, including the Los Angeles County Metropolitan Transportation Authority. The hackers stole at least 700 gigabytes of emails, backups, and other files from the LA transit authority, an intrusion detected around March 16.
Gambit Security said forensic evidence ties the operation to a pro-Iranian persona calling itself Ababil of Minab, which may be linked to Iran’s Ministry of Intelligence and Security (MOIS). The group's name refers to the bombing of a girls' school in the Iranian city of Minab that officials there say killed more than 175 children and teachers.
About two weeks after the initial hacking, Ababil materialized online and claimed to have wiped an enormous amount of data, publishing a video purporting to show them rampaging through the transit system's network. Although officials said the breach did not interrupt train or bus service, it disabled at least some arrival screens and prevented customers from loading money onto their transit cards.
Beyond LA County and the US, Gambit said the campaign targeted organizations in Israel, Saudi Arabia, and Turkey, with destructive operations carried out at a subset of victims. The attackers deleted virtual machines, databases, and storage volumes through both automated scripts and hands-on activity, targeting virtualization infrastructure and backups to maximize destruction and complicate recovery.
Eyal Sela, Gambit's director of threat intelligence, said an Iranian state connection "has been a working assumption," adding that the firm's research provides the forensic evidence to support it.
Ababil has also claimed credit for hacks affecting South Florida's Tri-Rail commuter system, vehicle tracking company Vyncs, and Saudi infrastructure firm Unimac. Tri-Rail confirmed it had been hacked but said none of the affected data was critical. The FBI said it was aware of the LACMTA incident and was coordinating with partners but hasn't commented further.
The breach is part of a broader wave of alleged Iranian cyber operations since the US and Israel launched strikes on Iran in late February, including a damaging attack on medical device company Stryker and the leak of personal emails belonging to FBI Director Kash Patel.