Israeli firm attributes LA transit breach to Iranian state intelligence

Israeli cybersecurity firm Gambit Security has attributed a March breach of the Los Angeles County Metropolitan Transportation Authority (LACMTA) to Iranian-backed hackers operating on behalf of the Ministry of Intelligence and State Security (MOIS). The attribution follows claims made by a hacktivist group calling itself Ababil of Minab, which stated it had stolen and subsequently deleted data from the transit system.

The breach caused operational disruptions at the LACMTA that took weeks to resolve. Gambit asserts that Ababil of Minab is not a standalone crew but a fabricated persona linked to previous Iran-linked campaigns. The firm’s assessment is based on forensic evidence and its investigation into other attacks against companies in Israel, Saudi Arabia, and Turkey.

Gambit noted that the group’s name references a U.S. airstrike on a school in Minab, Iran, which reportedly killed more than 175 people, mostly children. The firm linked the activity to the Israel National Cyber Directorate, which has previously attributed similar campaigns to the MOIS. Ababil of Minab did not respond to requests for comment.

This incident follows a broader increase in Iranian-linked cyber activity targeting critical infrastructure in the United States and other nations since the start of the war in Iran. In April, a coalition of U.S. agencies warned that Iranian hackers were actively targeting American critical infrastructure.

The LACMTA breach mirrors previous operations by Iranian-linked groups. Earlier this year, a group called Handala hacked U.S. medical tech giant Stryker, wiping thousands of systems. Following that breach, the FBI seized Handala websites and the U.S. Justice Department accused the Iranian government of being behind the attacks.