Los Angeles transit system hack blamed on Iranian attackers – but they might not have worked alone

Posted by

everyonehub2025@gmail.com

On May 27, 2026

0 comments

Gambit Security links March 2026 breach of Los Angeles transit system to Iranian state‑sponsored actors, not hacktivists, citing forensic evidence tied to prior campaigns
Attackers stole ~700GB of emails, backups, and internal data, with the pro‑Iranian group Ababil of Minab claiming responsibility despite indications it is a front for Tehran
Analysts note this fits a broader pattern of fake hacktivist groups like Handala being used by Iran to mask state‑directed cyber‑espionage and destructive operations

The March 2026 cyberattack on the Los Angeles transit system was not the work of “hacktivists”, but rather Iranian state-sponsored threat actors, after experts from Gambit Security claimed to have found evidence connecting the breach to the government in Teheran.

Two months ago, the Los Angeles County Metropolitan Transportation Authority (LACMTA) detected unauthorized activity on its internal network and shut down parts of its computer systems to contain the breach. The attack disrupted some customer-facing services, including arrival information displays and TAP card reloading systems, although trains and buses continued operating normally.

Sometime later, a pro-Iranian hacking group calling itself Ababil of Minab claimed responsibility for the breach, saying they stole hundreds of gigabytes of internal data from the transit agency. Gambit now claims that the attackers walked away with 700GB of emails, backups, and other data, after finding the stolen files exposed online.

Who are Ababil of Minab?

The researchers also said they followed the trail of evidence back to a server that was previously seen being used in other Iranian state-sponsored hacking campaigns.

According to Reuters, many cybersecurity researchers suspected that the LACMTA attack was the work of the Iranians. Eyal Sela, Gambit’s director of threat intelligence, said that the company’s research now adds forensic evidence to support these claims.

Ababil of Minab is a lesser-known group that first emerged a few weeks after the LACMTA incident. The name references the US air strike on an Iranian school that happened at the very beginning of the latest US/Israel-Iran conflict, in which 175 people, mostly children, were killed.

In its writeup, TechCrunch said that if Gambit’s assumptions are correct, Ababil of Minab would be the “latest in a series of fake hacktivist groups that are working for the Iranian government.” Before this group, there was Handala, which struck Stryker and wiped thousands of company systems and employee devices.

Via TechCrunch