Pro-Iranian Group Ababil of Minab Claims Cyberattack on LACMTA

Severity: High (Score: 72.5)

Sources: www.dataminr.com, Industrialcyber.Co

Summary

On April 9, 2026, the pro-Iranian hacking group Ababil of Minab claimed responsibility for a cyberattack on the Los Angeles County Metropolitan Transportation Authority (LACMTA). The group alleged access to critical systems, including virtualization infrastructure, web servers, and rail yard management systems. They published evidence, including screenshots and videos, via their Telegram channel and website, asserting they had compromised internal systems. The attackers claimed to have wiped 500 TB of data and exfiltrated 1 TB of sensitive information. However, LACMTA has not confirmed the breach as of April 15, 2026. The attack raises concerns about operational technology exposure and safety implications for rail operations. The group's messaging indicates potential for further attacks, aligning with known patterns of Iranian-aligned cyber operations. The presence of an 'Activate Windows' watermark in the screenshots suggests they were taken from an attacker-controlled environment rather than legitimate LACMTA systems. Key Points: • Ababil of Minab claims to have compromised LACMTA's critical systems. • The group alleges to have wiped 500 TB of data and exfiltrated 1 TB of sensitive information. • LACMTA has not confirmed the breach, and the attack raises operational safety concerns.

Key Entities

• Malware (attack_type)
• Ransomware (attack_type)
• Los Angeles County Metropolitan Transportation Authority (company)
• boardclerk.metro.net (domain)
• jobs.metro.net (domain)
• registration.metro.net (domain)
• sso.metro.net (domain)
• Transportation (industry)
• T1021 - Remote Services (mitre_attack)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1486 - Data Encrypted for Impact (mitre_attack)
• T1505.003 - Web Shell (mitre_attack)
• IIS (platform)
• Windows (platform)
• VMware (tool)