Back

Iranian Hackers Breach Los Angeles Transit System, Steal 700GB of Data

Severity: High (Score: 77.1)

Sources: Ground.News, Iranintl, Mlq.Ai, gambit.security, apnews.com

Published: 2026-05-26 · Updated: 2026-05-27

Keywords: hackers, security, iran, breach, angeles, transit, system

Severity indicators: breach

Summary

In March 2026, Iranian hackers linked to the Ministry of Intelligence and Security (MOIS) breached the Los Angeles County Metropolitan Transportation Authority (LACMTA), stealing at least 700 gigabytes of sensitive data, including emails and backups. The attack, attributed to a group called Ababil of Minab, disrupted parts of the transit system's network, though bus and rail services continued to operate. Forensic evidence from Gambit Security confirmed the connection between the hackers and Iranian state operations, indicating that this was not an independent hacktivist group as claimed. The breach was part of a broader campaign targeting organizations in the U.S., Israel, Saudi Arabia, and Turkey, raising concerns about escalating cyber warfare amid ongoing geopolitical tensions. The LACMTA's internal systems were affected, leading to temporary disruptions in customer services, such as fare card reloading. Recovery from the attack took weeks, highlighting the severity of the incident. Key Points: • Iranian hackers stole 700GB of data from the LACMTA in a March 2026 breach. • The attack was linked to the Iranian Ministry of Intelligence and Security, not an independent group. • The breach disrupted parts of the transit system but did not halt bus and rail services.

Detailed Analysis

**Impact** The Los Angeles County Metropolitan Transportation Authority (LACMTA) was breached in March 2026, resulting in the theft of at least 700 gigabytes of emails, backups, and internal files. The breach disrupted parts of the transit system’s internal network and customer-facing digital services, including arrival screens and transit card reload functions, though bus and rail operations remained uninterrupted. Additional victims include organizations in Israel, Saudi Arabia, Turkey, and the United States, spanning sectors such as media, education, insurance, and infrastructure. **Technical Details** The attack was attributed to a group calling itself Ababil of Minab, linked through forensic evidence to Iran’s Ministry of Intelligence and Security (MOIS). The adversaries used destructive operations targeting IT infrastructure, including deletion of virtual machines, databases, storage volumes, and backups, employing both automated scripts and hands-on-keyboard activity. Python scripts enhanced by AI tools like ChatGPT were used to selectively delete user databases. The attackers moved rapidly from initial access to destruction and data exfiltration stages. The group’s infrastructure and activity align with previously known Iran-linked campaigns attributed by Israeli authorities. **Recommended Response** Defenders should prioritize enhancing recovery and operational resilience capabilities, focusing on backup integrity and rapid restoration processes due to the attackers’ emphasis on destroying backups and virtualization layers. Deploy detections for anomalous deletion commands and script-based destructive activities, particularly those targeting SQL Server databases and virtual infrastructure. Monitor for indicators related to the Ababil of Minab persona and known Iran-linked infrastructure. No specific CVEs or malware hashes were disclosed; ongoing monitoring and coordination with law enforcement and intelligence agencies are advised.

Source articles (19)

  • 700GB data stolen! Israeli Researchers blame Iranian hackers for Los Angeles transit system breach — Wionews · 2026-05-26
    Gambit Security said digital forensic evidence tied the servers involved to a known Iranian-linked hacking operation. In a report published on Tuesday, the company claimed that the attack was linked t…
  • Iranian hackers blamed for breach of Los Angeles transit system that took weeks to recover — Techcrunch · 2026-05-26
    Security researchers say a March breach of the Los Angeles transit system (LACMTA) was the work of Iranian-backed hackers. Israeli startup Gambit Security said in a report on Tuesday that the hackers…
  • Iranian government, not hacktivist group, breached LA Metro system, security firm says — Cybersecuritydive · 2026-05-26
    A report by Israel-based Gambit Security dismisses the hackers’ claims of being patriotic but unaffiliated activists. The U.S.-Israeli war against Iran has emboldened Tehran’s hackers to pursue cybera…
  • Iranian hackers responsible for LA transit breach, security firm says — Iranintl · 2026-05-26
    Iranian hackers were behind a March cyberattack that disrupted Los Angeles’ transit system and forced parts of its network offline, Gambit Security firm said on Tuesday, according to Reuters. The Tel…
  • Iranian hackers responsible for Los Angeles transit system breach, Israeli researchers say — Nbcnews · 2026-05-26
    Iranian hackers were responsible for a disruptive computer breach in March that forced Los Angeles’ transit system to shut down parts of its network, Israeli researchers say. The saboteurs stole at le…
  • Babil Of Minab Iran Mois Destruction Campaign — gambit.security · 2026-05-26
    New forensic evidence links the persona to Iran's Ministry of Intelligence and Security, uncovers victim organizations not yet publicly named, and details the destructive playbook used against IT, app…
  • Iran Us School Hegseth Trump 2ffff06808f7a584b0a03831897ab0b8 — apnews.com · 2026-05-26
    WASHINGTON (AP) — Outdated intelligence likely led to the United States carrying out a deadly missile strike on an elementary school in Iran that killed over 165 people, many of them children, in the…
  • 18739413 — abc7.com · 2026-05-26
    LOS ANGELES (KABC) -- Metro says it's working to restore access to its internal administrative computers after the agency's security team discovered "unauthorized activity." The transit system said Th…
  • Iranian Hackers Blamed for Los Angeles Transit System Breach That Took Weeks to Recover — Firstpost · 2026-05-26
    Iranian hackers were responsible for a disruptive cyber breach in March that led to a shutdown of the Los Angeles County Metropolitan Transportation Authority (LACMTA) systems, stealing at least 700 G…
  • Iranian State Hackers Stole 700GB From Los Angeles Metro in Weeks-Long Breach, Israeli ... — Mlq.Ai · 2026-05-26
    Iranian government-linked hackers were behind a March breach of the Los Angeles County Metropolitan Transportation Authority that took weeks to recover from and resulted in the theft of at least 700 g…
  • Iranian-backed hackers linked to Los Angeles transit system breach | brief | SC Media — Scworld · 2026-05-26
    According to TechCrunch, security researchers have linked a March breach of the Los Angeles transit system to Iranian-backed hackers. An Israeli startup, Gambit Security, stated in a report that the g…
  • Iranian hackers responsible for Los Angeles transit system breach, Israeli researchers say — Ground.News · 2026-05-27
    The saboteurs stole at least 700 gigabytes of emails, backups, and other files from LACMTA, a Tel Aviv-based cybersecurity firm said after discovering the misappropriated data had been inadvertently e…
  • Iran — Jns · 2026-05-27
    The Israeli firm Gambit Security said on Tuesday that a group tied to the Iranian regime carried out a cyber attack against the Los Angeles County Metropolitan Transportation Authority in March. The L…
  • Iranian Hackers Responsible Los Angeles Transit System Breach Israeli 2026 05 26 — www.reuters.com · 2026-05-26
  • Podcast Behind The Scenes Of Blackshadow Apt With Amitai Ben Shushan Ehrlich — www.sentinelone.com · 2026-05-26
  • Iranian hackers responsible for LA transit system breach, Israeli firm says — www.haaretz.com · 2026-05-27
  • Iran-linked group reportedly hacked Los Angeles metro transit system in March — worldisraelnews.com · 2026-05-27
  • Israeli Firm Links LA Transit Cyber Breach to Iranian Hackers — ussanews.com · 2026-05-27
  • Israeli Firm Links LA Transit Breach to Iran Hackers — www.newsmax.com · 2026-05-27

Timeline

  • 2026-03-16 — LACMTA breach detected: Unauthorized activity led to the discovery of a breach affecting internal systems and customer services.
  • 2026-04-02 — Ababil of Minab claims responsibility: The group claimed to have wiped data from LACMTA's systems, asserting their role in the cyberattack.
  • 2026-05-26 — Gambit Security reports on breach: Gambit Security released a report linking the breach to Iranian state-backed hackers, confirming the scale of the data theft.
  • 2026-05-27 — Ongoing recovery efforts: LACMTA continues to work on restoring full access to its systems following the breach, which took weeks to address.

Related entities

  • Data Breach (Attack Type)
  • Malware (Attack Type)
  • Babil Of Minab Iran Mois Destruction Campaign (Campaign)
  • Agnik (Company)
  • Los Angeles County Metropolitan Transportation Authority (Company)
  • Los Angeles Metro (Company)
  • Stryker (Company)
  • Tri-Rail (Company)
  • Unimac (Company)
  • Vyncs (Company)
  • Metro (Platform)
  • ChatGPT (Platform)
  • Iran (Country)
  • Israel (Country)
  • Saudi Arabia (Country)
  • Turkey (Country)
  • United States (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • Energy (Industry)
  • Transportation (Industry)
  • 2ffff06808f7a584b0a03831897ab0b8 (Md5)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1059.006 - Python (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1485 - Data Destruction (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed