Israeli cybersecurity researchers say Iranian hackers were behind a March breach of the Los Angeles County Metropolitan Transportation Authority that disrupted parts of the transit network and exposed at least 700 gigabytes of emails, backups, and other files.
For more than a month, Los Angeles commuters kept moving—but the transit system’s digital backbone was hit hard enough in March that parts of the network were forced offline. Now Israeli cybersecurity researchers say the disruption and the data theft trace back to Iranian hackers.
In a report published Tuesday. Gambit Security. a Tel Aviv-based cybersecurity firm. said it found evidence tying the server where the data was exposed to a previously known hacking operation that Israeli officials and researchers attribute to Tehran. Gambit said the saboteurs stole at least 700 gigabytes of emails. backups. and other files from the Los Angeles County Metropolitan Transportation Authority. known as LACMTA.
Gambit said its discovery came after the misappropriated data was inadvertently exposed online, allowing researchers to trace a digital trail. The Los Angeles transit authority did not respond to questions about the findings.
LACMTA said in a statement shared last month that it was working with law enforcement and cyber specialists as it brought its systems back online. The agency added, “Attribution is part of the investigation and we will not speculate.”
At the center of Gambit’s conclusion is an obscure pro-Iran outfit that claimed responsibility for the intrusion, calling itself Ababil of Minab. Digital security specialists have suspected an Iranian hand since the group first took credit.
The group’s name refers to the bombing of a girls’ school in the Iranian city of Minab that officials there say killed more than 175 children and teachers. Gambit said Ababil’s rhetoric and operational style match what U.S. and Israeli researchers have described as self-styled vigilante hacker groups that can function as cut-outs for Iranian spies.
Eyal Sela, Gambit’s director of threat intelligence, said a connection between Ababil and the Iranian state is “a working assumption,” and that Gambit’s research “adds” forensic evidence to support it.
Gambit said it alerted relevant authorities to its findings.
Neither Iran’s mission to the United Nations nor Israel’s National Cyber Directorate returned messages seeking comment. Ababil did not respond to messages sent through a form on its website.
FBI AWARE, BUT NOT COMMENTING FURTHER
The FBI said it was aware of the LACMTA incident and was “coordinating with partners in response,” declining further comment. The U.S. civilian cyber defense body, the Cybersecurity and Infrastructure Security Agency, did not return messages seeking comment.
LACMTA officials said the intrusion was detected around March 16. About two weeks later, Ababil materialized online and claimed to have wiped an enormous amount of data in a destructive cyberattack, publishing a video that purported to show it rampaging through the transit system’s network.
Although LACMTA officials said the breach did not interrupt circulation of trains or buses, local media reported that it disabled at least some arrival screens and prevented customers from putting money on their transit cards.
WHAT THE BREACH READS LIKE—AND WHERE IT WENT NEXT
The LACMTA case is now being folded into a wider set of cyber incidents researchers associate with Iran-linked actors.
Gambit said Ababil has also claimed hacks involving South Florida’s Tri-Rail commuter transit system, vehicle tracking firm Vyncs, and Saudi infrastructure company Unimac.
Tri-Rail confirmed it had been hacked “about a month ago,” saying that none of the affected data was critical. Vyncs owner Agnik said its breach was detected on April 2. but declined to comment on the nature of the data stolen. Both Tri-Rail and Agnik said the FBI was involved. In an email. Agnik wrote that the bureau “has a pretty good understanding of who these criminals are.” Unimac did not return messages seeking comment.
Gambit added that the group behind Ababil has hacked other organizations whose identities it has not made public. citing its analysis of other data left online by the spies. Sela said those targets included a media organization and an educational institution in Israel. as well as an insurance brokerage in Turkey. but declined to identify additional victims.
A drumbeat of operations
The LACMTA breach also sits alongside other cyber activity researchers described as connected to Iran since the U.S. and Israel launched a war against Iran in late February.
Those alleged actions include an attack on the medical device company Stryker S YK N, and the leak of personal emails belonging to FBI Director Kash Patel. Iranian hackers have also been suspected of remotely tampering with fuel gauges at gas stations, CNN reported earlier this month.
Gambit’s account gives the LACMTA incident a sharper outline: the theft of at least 700 gigabytes of emails. backups. and files; a disruptive intrusion detected around March 16; and a claim of destructive damage that followed shortly afterward. Even as LACMTA resupplied its systems and returned service. the agency’s warning that it would not speculate on attribution now meets a more specific claim from researchers who say they have forensic evidence pointing toward Tehran.
LACMTA breach Iranian hackers Gambit Security Ababil of Minab Los Angeles transit cyberattack FBI CISA Unit 8200 Kash Patel emails