Vyncs: State-Affiliated Iranian Hackers Linked to the Los Angeles Transit System Breach

Iranian Hackers Breach LA Transit System, Steal 700GB of Data

A cyberattack on the Los Angeles County Metropolitan Transportation Authority (LA Metro) has been attributed to Iranian government-affiliated hackers, according to Tel Aviv-based cybersecurity firm Gambit Security. The breach, claimed by the Ababil of Minab hacking group, forced LA Metro to temporarily shut down parts of its system, disrupting online services, including fare loading via the TAP Mobile App.

The attackers exfiltrated approximately 700GB of data including backups, emails, and internal files before leaking it online and releasing a video documenting their intrusion. While LA Metro confirmed that rail operations and customer or employee data remained unaffected, the incident highlights the group’s destructive tactics, which include deleting virtual machines, databases, and backups to hinder recovery efforts.

Gambit’s investigation suggests Ababil of Minab is not an independent hacktivist collective, as it claims, but likely operates under Iran’s Ministry of Intelligence and Security (MOIS). The group has also taken responsibility for recent attacks on South Florida’s Tri-Rail, vehicle-tracking system Vyncs, and Saudi critical infrastructure operator Unimac. Additional breaches linked to the same threat actors have been uncovered in the U.S., Israel, Saudi Arabia, and Turkey.

The attack vector remains unidentified, though experts note a broader trend in Iranian cyber operations: combining espionage, disruption, and psychological impact. Transportation systems are prime targets due to their reliance on legacy infrastructure, third-party supply chains, and operational technology (OT), which create multiple entry points for state-sponsored actors. Even indirect disruptions such as compromised scheduling or internal communications can cause significant operational paralysis.

This incident follows a pattern of Iranian hackers targeting U.S. critical infrastructure, including recent attacks on gas station automatic tank gauge (ATG) systems and water treatment facilities. In 2025, U.S. authorities warned of heightened threats from Iranian state-backed groups, particularly against the Defense Industrial Base and entities with ties to Israel. The FBI is currently investigating the LA Metro breach in collaboration with relevant agencies.

Source: https://www.cpomagazine.com/cyber-security/state-affiliated-iranian-hackers-linked-to-the-los-angeles-transit-system-breach/

ResiliAnt cybersecurity rating report: https://www.rankiteo.com/company/resiliant

"id": "RES1780403193",
"linkid": "resiliant",
"type": "Cyber Attack",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'industry': 'Transportation',
                        'location': 'Los Angeles, California, USA',
                        'name': 'Los Angeles County Metropolitan '
                                'Transportation Authority (LA Metro)',
                        'type': 'Public Transportation Agency'}],
 'data_breach': {'data_exfiltration': True,
                 'type_of_data_compromised': ['Backups',
                                              'Emails',
                                              'Internal files']},
 'description': 'A cyberattack on the Los Angeles County Metropolitan '
                'Transportation Authority (LA Metro) has been attributed to '
                'Iranian government-affiliated hackers. The breach, claimed by '
                'the *Ababil of Minab* hacking group, forced LA Metro to '
                'temporarily shut down parts of its system, disrupting online '
                'services, including fare loading via the TAP Mobile App. The '
                'attackers exfiltrated approximately 700GB of data including '
                'backups, emails, and internal files before leaking it online '
                'and releasing a video documenting their intrusion.',
 'impact': {'data_compromised': '700GB of data (backups, emails, internal '
                                'files)',
            'downtime': 'Temporary shutdown of parts of the system',
            'operational_impact': 'Disruption of fare loading and online '
                                  'services',
            'systems_affected': ['Online services',
                                 'TAP Mobile App',
                                 'Internal systems']},
 'investigation_status': 'Ongoing (FBI investigation)',
 'motivation': ['Espionage', 'Disruption', 'Psychological Impact'],
 'post_incident_analysis': {'root_causes': ['Reliance on legacy infrastructure',
                                            'Third-party supply chain '
                                            'vulnerabilities',
                                            'Operational technology (OT) '
                                            'exposure']},
 'ransomware': {'data_exfiltration': True},
 'references': [{'source': 'Gambit Security'}],
 'response': {'law_enforcement_notified': 'FBI (investigating in collaboration '
                                          'with relevant agencies)',
              'third_party_assistance': 'Gambit Security (investigation)'},
 'threat_actor': 'Ababil of Minab (Iranian government-affiliated, likely under '
                 'Iran’s Ministry of Intelligence and Security - MOIS)',
 'title': 'Iranian Hackers Breach LA Transit System, Steal 700GB of Data',
 'type': 'Data Breach, Disruption'}