Iranian Hackers’ Breach in Los Angeles Transit System

In March, Iranian hackers executed a significant cyberattack on Los Angeles’ transit system, forcing a partial shutdown. This breach involved the theft of over 700 gigabytes of emails, backups, and other files from the Los Angeles County Metropolitan Transportation Authority (LACMTA).

According to Gambit Security, a cybersecurity firm based in Tel Aviv, the misappropriated data surfaced online unintentionally. The firm’s report suggests that evidence connects the compromised server to a known hacking operation linked to Tehran.

Efforts to gain comments from Iran’s mission to the United Nations and Israel’s National Cyber Directorate were unsuccessful. The Los Angeles transit authority chose not to comment directly on the findings, emphasizing that they are collaborating with law enforcement and cyber specialists to restore system functionality. They refrained from speculation about who was responsible.

This attack coincided with an announcement by a lesser-known pro-Iran group called Ababil of Minab. The group’s name references a tragic incident in Minab, Iran, where a bombing resulted in the deaths of many children and teachers. Both U.S. and Israeli analysts categorize such groups as potential fronts for Iranian espionage.

Eyal Sela, director of threat intelligence at Gambit Security, stated that their research provides forensic evidence supporting theories about Ababil’s connection to the Iranian state.

Ababil claimed to have executed a destructive cyberattack against LACMTA, releasing a video showing their infiltration. Local reports mentioned disruptions to service screens and the online transit card system, although train and bus services continued operating.

The hacking group Ababil also claimed responsibility for breaches affecting other agencies, including Florida’s Tri-Rail transit, vehicle tracking firm Vyncs, and Saudi infrastructure company Unimac. Tri-Rail and Vyncs confirmed incidents, both involving the FBI in their investigations.

Gambit Security revealed that Ababil had targeted additional organizations internationally, including a media entity and an educational institution in Israel, and an insurance brokerage in Turkey. However, details on these attacks remain undisclosed.

Iranian hackers have maintained a consistent series of digital incursions reportedly in response to actions by the U.S. and Israel earlier this year. Notable incidents include a significant breach at medical device company Stryker and tampering with fuel gauges at gas stations.