Iranian Hackers Infiltrate LA Transit System: Details Revealed

Israeli researchers have identified Iranian hackers as responsible for a disruptive breach in March, forcing Los Angeles’ transit system to halt parts of its network. Gambit Security, a cybersecurity firm based in Tel Aviv, reported the hackers stole over 700 gigabytes of emails, backups, and other files from the Los Angeles County Metropolitan Transportation Authority (LACMTA). This data was found accidentally exposed online.

The report by Gambit Security outlined evidence linking the server to a known hacking operation attributed to Tehran by Israeli sources. Neither Iran’s mission to the United Nations nor Israel’s National Cyber Directorate responded to requests for comment. The Los Angeles transit authority issued a statement saying they were collaborating with law enforcement and cyber specialists to restore their systems, refraining from speculation on attribution.

The Metro Rail A Line leaves the Chinatown station in Los Angeles.

Suspicion over an Iranian origin in the operation against LACMTA arose after a group called Ababil of Minab claimed responsibility. This group references a tragic bombing in Minab, Iran, and operates with rhetoric and actions similar to pro-Iran vigilante hacker groups. Eyal Sela, Gambit’s director of threat intelligence, supported the assumption of a state connection with forensic evidence.

Ababil did not respond to outreach attempts. The FBI acknowledged awareness of the incident and is working with partners, but declined further comment. The Cybersecurity and Infrastructure Security Agency also did not respond.

The breach was detected around March 16. By March end, Ababil publicly claimed to have destroyed data in a cyberattack, showcasing a video allegedly demonstrating their network infiltration. While Los Angeles transit officials stated the breach did not impact train or bus services, local reports indicated some arrival screens were disabled, and transit card reloading was affected.

Ababil also claims to have hacked South Florida’s Tri-Rail system, vehicle tracking company Vyncs, and Saudi infrastructure firm Unimac. Tri-Rail confirmed a minor hack occurred, while Vyncs detected its breach on April 2 but provided no details. Both reported FBI involvement in their investigations. Unimac did not comment.

Gambit Security revealed Ababil targeted additional organizations, including in Israel and Turkey, but did not disclose their identities. Alleged Iranian hacker activities have remained active since February, impacting high-profile targets like medical device company Stryker and leaking private emails from FBI Director Kash Patel. CNN reported suspicions of Iranian hackers tampering with gas station fuel gauges recently.