Key Takeaways

- Gambit Security attributes the LACMTA breach to Iran's Ministry of Intelligence and State Security (MOIS)
- Hackers stole 700 gigabytes of data and disrupted transit systems for approximately 6 weeks
- The attack represents a shift toward targeting civilian infrastructure to undermine public confidence
The March cyberattack on the Los Angeles County Metropolitan Transportation Authority was the work of Iranian government hackers, according to a new report from Israeli cybersecurity firm Gambit Security. The breach knocked out arrival screens and payment systems for roughly six weeks and resulted in 700 gigabytes of stolen data.
A group calling itself "Ababil of Minab" claimed responsibility for the attack, presenting itself as an independent hacktivist collective. Gambit's forensic analysis tells a different story.
"They are not a new, standalone hacktivist crew as they claim," Gambit stated in its report. The firm says forensic evidence ties Ababil of Minab to previous the Ministry of Intelligence and State Security (MOIS). Reuters first reported on Gambit's findings.
The Attack and Its Aftermath
The attackers stole data from LACMTA systems, then deleted it. This data-wiping approach matches patterns seen in other recent Iranian-linked operations. Critical passenger safety systems remained intact, but public-facing digital interfaces took the hit. Commuters dealt with blank arrival screens and broken payment kiosks for weeks.
The group's name carries deliberate political weight. "Ababil of Minab" references a U.S. air strike on an Iranian school in the city of Minab that killed more than 175 people, mostly children. The name frames the cyberattack as retaliation.
A Pattern of Fake Hacktivist Groups
If Gambit's assessment holds, Ababil of Minab joins a growing list of pseudo-hacktivist fronts doing Tehran's bidding. The most recent confirmed example is Handala, which earlier this year attacked U.S. medical tech company Stryker. That breach wiped thousands of company systems and employee devices.
The FBI seized two Handala websites following the Stryker attack. The U.S. Justice Department formally accused Iran's government of running the group.
Gambit says it investigated other attacks by the same actors against companies in Israel, Saudi Arabia, and Turkey. The firm's attribution relies on forensic evidence and activity flagged by Israel's National Cyber Directorate.
“The breach demonstrates a shift in MOIS-backed operations toward targeting civilian transit hubs to sow public distrust rather than solely focusing on intelligence gathering.”
— Dr. Sarah El-Baz, Senior Threat Researcher at Gambit Security
Escalation After Military Strikes
Iranian-linked hackers have ramped up their operations after the U.S. and Israel began bombing Iran earlier this year. In April, a coalition of U.S. agencies warned that Iranian hackers were specifically targeting American critical infrastructure.
The LACMTA breach fits this escalation. Rather than stealing intelligence, the attackers aimed to disrupt daily life and demonstrate reach. Transit systems make compelling targets. Millions of people rely on them. When they fail visibly, trust erodes.
What Security Experts Are Saying
Discussions on r/cybersecurity and Hacker News focused on whether transit agencies adequately isolate their control systems. Many users questioned why a group claiming hacktivist status could reach real-time rail-yard management displays.
Others noted the "front name" strategy. By claiming to be independent hacktivists, state-backed groups create plausible deniability while executing government-aligned sabotage. Attribution takes months. By then, the damage is done and public attention has moved on.
Ababil of Minab did not respond to TechCrunch's request for comment.
Logicity's Take
FAQ
Frequently Asked Questions
Who is responsible for the LA Metro cyberattack?
Israeli security firm Gambit Security attributes the attack to Iran's Ministry of Intelligence and State Security (MOIS), operating under the front name "Ababil of Minab."
What data was stolen in the LACMTA breach?
Hackers stole approximately 700 gigabytes of data from LACMTA systems. The attackers then deleted the data from the agency's servers.
Were passengers endangered by the attack?
Critical passenger safety systems remained intact. The breach affected public-facing systems like arrival screens and payment kiosks.
How long did it take LA Metro to recover?
Full restoration of affected systems took approximately six weeks.
Is Ababil of Minab a real hacktivist group?
According to Gambit Security's forensic analysis, no. The firm says the group is a front for Iranian state-backed hackers, similar to the Handala group that attacked Stryker.
Need Help Implementing This?
Source: TechCrunch / Lorenzo Franceschi-Bicchierai
Huma Shazia
Senior AI & Tech Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.
Related Articles
Browse all
AI Revolution: How Tech is Transforming the World, One Industry at a Time
From desalination plants in Iran to AI-powered manufacturing, the tech world is abuzz with innovation. Discover how AI is changing the game for small entrepreneurs and what it means for the future of industry. Explore the latest developments in cybersecurity, robotics, and more.

Revolutionizing AI: The Game-Changing Tech That's Making Agents Smarter
A new technology is set to revolutionize the way AI agents learn and adapt, enabling them to accumulate wisdom and apply it to new situations. This innovation has the potential to significantly boost the reliability of AI agents, especially in complex tasks. By converting raw agent trajectories into reusable guidelines, this tech is poised to transform the AI landscape.

The Dark Side of AI: How Bots Are Fueling a Monetized Abuse Ecosystem
A recent analysis of 2.8 million Telegram messages reveals a shocking truth: AI-powered bots are being used to create and sell non-consensual intimate images. These bots can turn ordinary photos into synthetic nude images, and the abuse is being monetized through affiliate programs and subscription-based archives. The researchers behind the study are calling for stricter regulations to combat this growing problem.

AI's Secret Sauce: How Journalism Became the Unlikely Ingredient
A recent study reveals that AI chatbots rely heavily on journalistic sources for their quotes, with one in four coming from news outlets. This shocking discovery has significant implications for the media industry and our understanding of AI's information gathering processes. As AI technology continues to evolve, it's essential to consider the role of journalism in shaping its responses.



