Iranian intel. ministry-linked group behind LA public transport cyberattack, Israeli firm finds

An Iranian-linked hacking group targeted Los Angeles County Metropolitan Transportation Authority (LACMTA) in March, disrupting digital services and stealing at least 700 gigabytes of emails, backups, and files, according to Gambit Security, an Israeli cybersecurity firm. The attack, detected around March 16, forced LACMTA to shut down parts of its network, affecting passenger services like arrival time displays and digital payment systems, though officials confirmed the transit service itself remained operational. Gambit’s investigation tied the breach to a known Iranian state-backed operation, with digital evidence linking the exposed data to Tehran. The firm’s report also revealed the attackers deleted virtual machines, databases, and backup infrastructures, impairing LACMTA’s recovery efforts. This went beyond data theft, suggesting a deliberate attempt to cripple the system. The hacker group Ababil of Minab claimed responsibility, referencing a 1979 bombing in Iran and aligning with a pattern of pro-Iranian cyberactivism linked to state intelligence. Gambit’s director of threat intelligence, Eyal Sela, stated that while a connection between Ababil and Iranian state actors had been suspected, their findings provided forensic confirmation. The firm alerted relevant authorities, including the FBI, which acknowledged awareness of the incident but declined further comment. LACMTA’s officials previously stated they were collaborating with law enforcement and cyber specialists to restore systems, avoiding speculation on attribution. The attack occurred as Los Angeles prepares to host the FIFA 2026 World Cup, raising concerns about potential broader targeting. Iran’s UN mission and Israel’s National Cyber Directorate did not respond to requests for comment, while the Cybersecurity and Infrastructure Security Agency (CISA) also declined to address the findings.