Iran-Linked Hackers Blamed For LA Metro Breach That Hit Systems And Recovery

Iran-linked hackers have been blamed for a March cyberattack on the Los Angeles County Metropolitan Transportation Authority (LACMTA), with researchers saying the attackers stole hundreds of gigabytes of data and targeted systems in a way that complicated recovery.
 

TL;DR

 

• Gambit Security linked the LA Metro breach to Ababil of Minab, a pro-Iran persona it says is tied to Iran’s MOIS.

• Reuters reported the hackers stole at least 700GB of emails, backups, and other files.

• LA Metro said rail and bus services continued, but internal systems and some customer-facing services were disrupted.

• U.S. agencies recently warned of escalating Iranian-linked cyber activity against critical infrastructure.


 

The Los Angeles County Metropolitan Transportation Authority, also known as LA Metro or LACMTA, has found itself at the center of a fresh critical infrastructure cybersecurity concern.

Source

Security researchers at Israeli cybersecurity startup Gambit Security said a March cyberattack on the transit agency was linked to Ababil of Minab, a pro-Iran persona that had claimed responsibility for the intrusion. According to Gambit, the group is “unlikely to be a new, standalone hacktivist crew as they claim,” with forensic evidence tying the campaign to infrastructure and activity previously attributed by Israel’s National Cyber Directorate to Iran’s Ministry of Intelligence and Security (MOIS).


Reuters reported that the hackers stole at least 700GB of emails, backups, and other files from LACMTA. Gambit said it discovered the data after it was inadvertently exposed online, while the digital trail connected the server where the data was found to a known Tehran-linked hacking operation.

The incident itself was detected around March 16. LA Metro later confirmed that it had “proactively limited employee access to many internal administrative computer systems” after discovering unauthorized activity. The agency said essential rail and bus services, as well as transit safety and security systems, continued uninterrupted.


However, the recovery was not quick. Metro board member Fernando Dutra told the Los Angeles Times that the agency had to review around 1,400 servers one by one before bringing systems back online. “When you think in terms of how big we are, we’re a beast,” Dutra said, adding that the agency had to make sure each server was clean before restoring access.


Reuters also reported that while trains and buses kept running, some arrival screens were disabled and customers had trouble loading money onto transit cards. LA Metro previously said attribution was still part of the investigation and that it would not speculate.


What makes the case stand out is the alleged attack on the recovery layer. Gambit said the broader campaign involved exfiltration across victims in the United States, Israel, Saudi Arabia, and Turkey, with destructive activity at some organizations. The company said attackers used techniques such as deleting virtual machines, databases, storage volumes, and backup infrastructure, which can force organizations into separate and prolonged restoration processes.
 

The timing also lands amid wider concern over Iranian-linked cyber activity. In April 2026, the FBI, CISA, NSA, EPA, Department of Energy, and U.S. Cyber Command warned that Iran-affiliated APT actors were targeting internet-facing operational technology devices, including programmable logic controllers, across U.S. critical infrastructure sectors. The advisory said such activity had caused disruptions in some sectors and urged organizations to remove PLCs from direct internet exposure, review logs, and strengthen backups.


As per TechCrunch, Ababil of Minab claimed it stole and deleted data from LACMTA systems, while Gambit said the persona fits a broader pattern of fake hacktivist groups allegedly operating on behalf of the Iranian government.