Iranian Hackers Breached LA Metro: 6 Weeks to Recover

Key Takeaways

• Gambit Security attributes the LACMTA breach to Iran's Ministry of Intelligence and State Security (MOIS)
• Hackers stole 700 gigabytes of data and disrupted transit systems for approximately 6 weeks
• The attack represents a shift toward targeting civilian infrastructure to undermine public confidence

The March cyberattack on the Los Angeles County Metropolitan Transportation Authority was the work of Iranian government hackers, according to a new report from Israeli cybersecurity firm Gambit Security. The breach knocked out arrival screens and payment systems for roughly six weeks and resulted in 700 gigabytes of stolen data.

A group calling itself "Ababil of Minab" claimed responsibility for the attack, presenting itself as an independent hacktivist collective. Gambit's forensic analysis tells a different story.

"They are not a new, standalone hacktivist crew as they claim," Gambit stated in its report. The firm says forensic evidence ties Ababil of Minab to previous the Ministry of Intelligence and State Security (MOIS). Reuters first reported on Gambit's findings.

The Attack and Its Aftermath

The attackers stole data from LACMTA systems, then deleted it. This data-wiping approach matches patterns seen in other recent Iranian-linked operations. Critical passenger safety systems remained intact, but public-facing digital interfaces took the hit. Commuters dealt with blank arrival screens and broken payment kiosks for weeks.

The group's name carries deliberate political weight. "Ababil of Minab" references a U.S. air strike on an Iranian school in the city of Minab that killed more than 175 people, mostly children. The name frames the cyberattack as retaliation.

A Pattern of Fake Hacktivist Groups

If Gambit's assessment holds, Ababil of Minab joins a growing list of pseudo-hacktivist fronts doing Tehran's bidding. The most recent confirmed example is Handala, which earlier this year attacked U.S. medical tech company Stryker. That breach wiped thousands of company systems and employee devices.

The FBI seized two Handala websites following the Stryker attack. The U.S. Justice Department formally accused Iran's government of running the group.

Gambit says it investigated other attacks by the same actors against companies in Israel, Saudi Arabia, and Turkey. The firm's attribution relies on forensic evidence and activity flagged by Israel's National Cyber Directorate.

“The breach demonstrates a shift in MOIS-backed operations toward targeting civilian transit hubs to sow public distrust rather than solely focusing on intelligence gathering.”

— Dr. Sarah El-Baz, Senior Threat Researcher at Gambit Security

Escalation After Military Strikes

Iranian-linked hackers have ramped up their operations after the U.S. and Israel began bombing Iran earlier this year. In April, a coalition of U.S. agencies warned that Iranian hackers were specifically targeting American critical infrastructure.

The LACMTA breach fits this escalation. Rather than stealing intelligence, the attackers aimed to disrupt daily life and demonstrate reach. Transit systems make compelling targets. Millions of people rely on them. When they fail visibly, trust erodes.

What Security Experts Are Saying

Discussions on r/cybersecurity and Hacker News focused on whether transit agencies adequately isolate their control systems. Many users questioned why a group claiming hacktivist status could reach real-time rail-yard management displays.

Others noted the "front name" strategy. By claiming to be independent hacktivists, state-backed groups create plausible deniability while executing government-aligned sabotage. Attribution takes months. By then, the damage is done and public attention has moved on.

Ababil of Minab did not respond to TechCrunch's request for comment.

FAQ

Frequently Asked Questions

Who is responsible for the LA Metro cyberattack?

Israeli security firm Gambit Security attributes the attack to Iran's Ministry of Intelligence and State Security (MOIS), operating under the front name "Ababil of Minab."

What data was stolen in the LACMTA breach?

Hackers stole approximately 700 gigabytes of data from LACMTA systems. The attackers then deleted the data from the agency's servers.

Were passengers endangered by the attack?

Critical passenger safety systems remained intact. The breach affected public-facing systems like arrival screens and payment kiosks.

How long did it take LA Metro to recover?

Full restoration of affected systems took approximately six weeks.

Is Ababil of Minab a real hacktivist group?

According to Gambit Security's forensic analysis, no. The firm says the group is a front for Iranian state-backed hackers, similar to the Handala group that attacked Stryker.

Source: TechCrunch / Lorenzo Franceschi-Bicchierai