Back

Iranian Hackers Target LA Transit System in Major Cyber Breach

Severity: High (Score: 74.1)

Sources: Nbcnews, gambit.security, abc7.com, Iranintl, www.reuters.com

Published: 2026-05-26 · Updated: 2026-05-26

Keywords: hackers, security, iran, breach, angeles, transit, system

Severity indicators: breach

Summary

In March 2026, Iranian hackers executed a cyberattack on the Los Angeles County Metropolitan Transportation Authority (LACMTA), stealing at least 700 gigabytes of sensitive data, including emails and backups. The attack was attributed to a pro-Iranian group named Ababil of Minab, which claimed responsibility for the breach and subsequent data destruction. Forensic evidence linked the attack to Iran's Ministry of Intelligence and Security (MOIS). The breach disrupted parts of the transit system's network, although services continued. The incident raised alarms about escalating cyber warfare amid rising tensions between the U.S. and Iran. Gambit Security, a cybersecurity firm, provided detailed analysis and evidence of the attack, which has implications for critical infrastructure security. The FBI is currently coordinating with relevant authorities in response to the breach. Key Points: • Iranian hackers stole 700GB of data from LA transit systems in a March 2026 cyberattack. • The attack was linked to a pro-Iranian group, Ababil of Minab, and Iran's MOIS. • The breach disrupted LACMTA operations, although public transport services remained functional.

Detailed Analysis

**Impact** The Los Angeles County Metropolitan Transportation Authority (LACMTA) was breached in March 2026, resulting in the theft of at least 700 gigabytes of emails, backups, and internal files. The attack disrupted parts of the transit system’s network, disabling arrival screens and temporarily preventing fare card reloads, though train and bus services continued. Additional victims include South Florida’s Tri-Rail commuter system, vehicle tracking company Vyncs, and Saudi infrastructure firm Unimac, with other Israeli and Turkish organizations also targeted. The breach affected critical public infrastructure across multiple countries, primarily in the U.S., Israel, Saudi Arabia, and Turkey. **Technical Details** The intrusion was conducted by a pro-Iranian hacking persona known as Ababil of Minab, linked through forensic evidence to Iran’s Ministry of Intelligence and Security (MOIS) and previously identified Iran-linked clusters such as Black Shadow. Attackers used custom exfiltration tools and destructive scripts to delete virtual machines, databases, storage volumes, and backups, employing both automated and hands-on-keyboard methods. The attack chain included initial access, data exfiltration, and destructive operations targeting IT, applications, virtualization infrastructure, and backups. Specific CVEs or malware names were not disclosed in the available reports. **Recommended Response** Defenders should prioritize enhancing operational resilience by focusing on recovery capabilities, including robust backup integrity verification and rapid restoration processes. Monitoring for abnormal deletion activity in virtualization and storage environments is critical. Network defenders should block known infrastructure associated with Ababil of Minab and related Iran-linked campaigns and maintain heightened vigilance for lateral movement and exfiltration behaviors. No specific patches or CVEs were identified; therefore, continuous threat hunting and incident response readiness are advised.

Source articles (8)

  • 700GB data stolen! Israeli Researchers blame Iranian hackers for Los Angeles transit system breach — Wionews · 2026-05-26
    Gambit Security said digital forensic evidence tied the servers involved to a known Iranian-linked hacking operation. In a report published on Tuesday, the company claimed that the attack was linked t…
  • Iranian hackers blamed for breach of Los Angeles transit system that took weeks to recover — Techcrunch · 2026-05-26
    Security researchers say a March breach of the Los Angeles transit system (LACMTA) was the work of Iranian-backed hackers. Israeli startup Gambit Security said in a report on Tuesday that the hackers…
  • Iranian hackers responsible for LA transit breach, security firm says — Iranintl · 2026-05-26
    Iranian hackers were behind a March cyberattack that disrupted Los Angeles’ transit system and forced parts of its network offline, Gambit Security firm said on Tuesday, according to Reuters. The Tel…
  • Iranian hackers responsible for Los Angeles transit system breach, Israeli researchers say — Nbcnews · 2026-05-26
    Iranian hackers were responsible for a disruptive computer breach in March that forced Los Angeles’ transit system to shut down parts of its network, Israeli researchers say. The saboteurs stole at le…
  • Babil Of Minab Iran Mois Destruction Campaign — gambit.security · 2026-05-26
    New forensic evidence links the persona to Iran's Ministry of Intelligence and Security, uncovers victim organizations not yet publicly named, and details the destructive playbook used against IT, app…
  • Iran Us School Hegseth Trump 2ffff06808f7a584b0a03831897ab0b8 — apnews.com · 2026-05-26
    WASHINGTON (AP) — Outdated intelligence likely led to the United States carrying out a deadly missile strike on an elementary school in Iran that killed over 165 people, many of them children, in the…
  • 18739413 — abc7.com · 2026-05-26
    LOS ANGELES (KABC) -- Metro says it's working to restore access to its internal administrative computers after the agency's security team discovered "unauthorized activity." The transit system said Th…
  • Iranian Hackers Responsible Los Angeles Transit System Breach Israeli 2026 05 26 — www.reuters.com · 2026-05-26

Timeline

  • 2026-03-16 — Cyberattack on LACMTA detected: The Los Angeles transit authority discovered the breach affecting their systems, leading to data theft and disruption.
  • 2026-05-26 — Gambit Security reports on Iranian hackers: Gambit Security published findings linking the LACMTA breach to Iranian hackers and provided forensic evidence.
  • 2026-05-26 — Ababil of Minab claims responsibility: The group claimed to have wiped significant amounts of data from LACMTA systems in a destructive cyber operation.

Related entities

  • Data Breach (Attack Type)
  • Malware (Attack Type)
  • Babil Of Minab Iran Mois Destruction Campaign (Campaign)
  • Agnik (Company)
  • Los Angeles County Metropolitan Transportation Authority (Company)
  • Stryker (Company)
  • Tri-Rail (Company)
  • Unimac (Company)
  • Vyncs (Company)
  • Metro (Platform)
  • Iran (Country)
  • Israel (Country)
  • Saudi Arabia (Country)
  • Turkey (Country)
  • United States (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • Transportation (Industry)
  • 2ffff06808f7a584b0a03831897ab0b8 (Md5)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1485 - Data Destruction (Mitre Attack)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed