State-Affiliated Iranian Hackers Linked to the Los Angeles Transit System Breach
State-affiliated Iranian hackers, linked to Iran’s Ministry of Intelligence and Security (MOIS), breached the Los Angeles transit system, exfiltrating 700 GB of data and disrupting services, according to cybersecurity firm Gambit Security. The Ababil of Minab group claimed responsibility, leaking stolen data and targeting other global transit and infrastructure systems, while authorities and experts warn of escalating Iranian cyber threats against critical systems.
A cyberattack on the Los Angeles County Metropolitan Transportation Authority (LACMTA/LA Metro) was linked to state-affiliated Iranian hackers, forcing partial system shutdowns and disrupting online services. The breach prevented riders from using the TAP Mobile App for fare loading, prompting LACMTA to advise purchasing TAP cards via machines or fareboxes. The Ababil of Minab hacking group claimed responsibility, exfiltrating 700 GB of data—including backups and emails—while also leaking stolen information online. The group has previously targeted South Florida’s Tri-Rail, Saudi Arabia’s Unimac, and Israel’s Agnik’s vehicle-tracking system. Gambit Security, a Tel Aviv-based firm, detected data exfiltration tools linked to breaches in the U.S., Israel, Saudi Arabia, and Turkey, noting attackers deleted virtual machines and backups to hinder recovery. Gambit’s investigation suggests Ababil of Minab operates under Iran’s Ministry of Intelligence and Security (MOIS), despite claiming independence. The firm shared findings with authorities, including the FBI, which is collaborating on the investigation. LACMTA confirmed the breach did not affect rail lines or customer/employee data, though the attack vector remains unidentified. Cybersecurity experts warn of a broader trend in Iranian cyber operations, combining espionage, disruption, and psychological tactics. Public transit systems, reliant on legacy infrastructure and interconnected networks, are prime targets due to their high visibility and operational impact. Ensar Seker, CISO at SOCRadar, highlighted the attackers’ dual goals: intelligence gathering and coercive influence through data theft and service disruptions. The incident underscores vulnerabilities in critical infrastructure, with attackers exploiting multiple attack paths. Gambit’s analysis reveals destructive operations across IT, virtualization, and backups, including automated scripts and manual deletions. While LACMTA has not attributed the attack to a specific group, the FBI and partners continue investigating the breach’s origins and scope.
This content was automatically generated and/or translated by AI. It may contain inaccuracies. Please refer to the original sources for verification.