Iranian Hackers Linked to Disruptive LA Transit System Breach, Israeli Researchers Confirm
Israeli cybersecurity firm Gambit Security has attributed a March cyberattack on the Los Angeles County Metropolitan Transportation Authority (LACMTA) to Iranian state-linked hackers, following an investigation that uncovered 700GB of stolen data including emails and backups left exposed online. The breach, detected around March 16, forced the transit agency to temporarily shut down parts of its network, though train and bus operations remained unaffected. However, local reports indicated disruptions to arrival screens and transit card payment systems.
The attack was claimed by Ababil of Minab, a pro-Iran hacking group named after a 2023 school bombing in Iran. While U.S. and Israeli researchers have long suspected Ababil of acting as a front for Iranian intelligence, Gambit’s findings provide forensic evidence linking the group to Tehran. Eyal Sela, Gambit’s director of threat intelligence, stated that the connection to the Iranian state had been a "working assumption" but is now supported by digital traces.
The LACMTA confirmed the incident in a March statement, noting an ongoing investigation with law enforcement and cybersecurity experts but declined to comment on attribution. The FBI acknowledged awareness of the breach and said it was coordinating with partners, while CISA and Iran’s UN mission did not respond to requests for comment.
Ababil has also claimed responsibility for recent attacks on South Florida’s Tri-Rail, vehicle tracking firm Vyncs, and Saudi infrastructure company Unimac. Tri-Rail confirmed a breach but described the stolen data as non-critical, while Vyncs reported its incident on April 2, with the FBI involved in both cases. Unimac did not respond to inquiries.
Gambit’s analysis suggests Ababil has targeted additional organizations including an Israeli media outlet, an Israeli educational institution, and a Turkish insurance brokerage though details remain undisclosed. The group’s activity aligns with a broader surge in Iranian cyber operations since late February, coinciding with heightened tensions following the Israel-Hamas war. Recent incidents include a cyberattack on medical device manufacturer Stryker, the leak of FBI Director Kash Patel’s emails, and alleged tampering with U.S. gas station fuel gauges, as reported by CNN.
The LACMTA breach underscores the growing threat of state-backed cyber sabotage targeting critical infrastructure, with Iranian hackers increasingly leveraging proxy groups to obscure their involvement.
Stryker cybersecurity rating report: https://www.rankiteo.com/company/stryker
"id": "STR1779805618",
"linkid": "stryker",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Transportation/Public Transit',
'location': 'Los Angeles, California, USA',
'name': 'Los Angeles County Metropolitan '
'Transportation Authority (LACMTA)',
'type': 'Government/Transit Agency'},
{'industry': 'Transportation/Public Transit',
'location': 'South Florida, USA',
'name': 'Tri-Rail (South Florida)',
'type': 'Government/Transit Agency'},
{'industry': 'Vehicle Tracking/Telematics',
'name': 'Vyncs',
'type': 'Private Company'},
{'industry': 'Infrastructure',
'location': 'Saudi Arabia',
'name': 'Unimac',
'type': 'Private Company'},
{'industry': 'Media/News',
'location': 'Israel',
'name': 'Israeli media outlet',
'type': 'Media'},
{'industry': 'Education',
'location': 'Israel',
'name': 'Israeli educational institution',
'type': 'Educational Institution'},
{'industry': 'Insurance',
'location': 'Turkey',
'name': 'Turkish insurance brokerage',
'type': 'Private Company'}],
'data_breach': {'data_exfiltration': '700GB of data exposed online',
'type_of_data_compromised': ['Emails', 'Backups']},
'date_detected': '2024-03-16',
'date_publicly_disclosed': '2024-03',
'description': 'Israeli cybersecurity firm Gambit Security attributed a March '
'cyberattack on the Los Angeles County Metropolitan '
'Transportation Authority (LACMTA) to Iranian state-linked '
'hackers. The breach involved 700GB of stolen data, including '
'emails and backups, and forced temporary network shutdowns. '
'The attack was claimed by the pro-Iran hacking group Ababil '
'of Minab, suspected to be a front for Iranian intelligence.',
'impact': {'data_compromised': '700GB of data (emails, backups)',
'operational_impact': 'Temporary shutdown of parts of the network',
'systems_affected': 'Network systems, transit card payment '
'systems, arrival screens'},
'investigation_status': 'Ongoing',
'motivation': 'Cyber sabotage, Disruption of critical infrastructure, '
'Geopolitical tensions',
'references': [{'source': 'Gambit Security'},
{'source': 'LACMTA Statement'},
{'source': 'FBI'},
{'source': 'CNN'}],
'response': {'communication_strategy': 'Public statement in March',
'containment_measures': 'Temporary network shutdown',
'law_enforcement_notified': 'FBI',
'third_party_assistance': 'Gambit Security, Law enforcement, '
'Cybersecurity experts'},
'threat_actor': 'Ababil of Minab (Iranian state-linked hackers)',
'title': 'Disruptive Cyberattack on Los Angeles County Metropolitan '
'Transportation Authority (LACMTA)',
'type': 'Cyberattack, Data Breach'}