Israeli researchers link Iranian hackers to disruptive cyberattack on Los Angeles transit system

WASHINGTON, DC: Israeli cybersecurity researchers have linked a major cyberattack on Los Angeles’ public transit system to Iranian hackers, claiming the operation disrupted key services and exposed hundreds of gigabytes of sensitive data.

According to NBC News in a report published on Tuesday, May 26, Tel Aviv-based cybersecurity company Gambit Security said hackers stole at least 700 gigabytes of emails, backups, and internal files from the Los Angeles County Metropolitan Transportation Authority (LACMTA) during a breach detected in March.

According to the firm, the stolen data was later inadvertently exposed online, allowing investigators to trace it to infrastructure associated with a known Iranian-linked hacking campaign.

The company said forensic evidence connected the compromised server to previous cyber operations attributed by Israeli officials and researchers to Tehran.

Transit systems disrupted after March breach

The intrusion was first detected around March 16, according to LACMTA officials. While authorities said trains and buses continued operating, the attack reportedly disrupted parts of the transit network, including arrival display systems and customer payment services.

Local media reports said passengers were temporarily unable to add funds to transit cards, while some digital information screens went offline.

The hackers later surfaced online under the name “Ababil of Minab,” claiming responsibility for the attack and releasing a video that allegedly showed them infiltrating and deleting files from the transit authority’s systems.

The group’s name references a deadly bombing at a girls’ school in the Iranian city of Minab, and researchers say its rhetoric mirrors that of pro-Iran cyber vigilante groups previously linked to Iranian intelligence operations.

Researchers cite forensic evidence tying group to Tehran

Eyal Sela, Gambit Security’s director of threat intelligence, said suspicions about Iran’s involvement had existed from the beginning, but the latest investigation provided technical evidence supporting those claims.

“A connection between Ababil and the Iranian state has been a working assumption,” Sela said. “What our research adds is the forensic evidence to support it.”

Gambit Security said it alerted relevant authorities after uncovering the exposed data. The firm was founded in part by former members of Israel’s elite cyber intelligence unit, Unit 8200.

Iran’s mission to the United Nations did not respond to requests for comment. Israel’s National Cyber Directorate also declined to comment publicly on the findings.

FBI coordinating investigation into cyber incidents

The FBI confirmed it was aware of the LACMTA cyberattack and said it was coordinating with partners as part of the investigation, though it declined to discuss attribution. The US Cybersecurity and Infrastructure Security Agency (CISA) did not immediately respond to requests for comment.

LACMTA officials previously said they were working with law enforcement and cybersecurity experts to restore affected systems, but declined to speculate on who was behind the attack.

“Attribution is part of the investigation and we will not speculate,” the transit authority said in an earlier statement. The Ababil group has also claimed responsibility for cyberattacks targeting South Florida’s Tri-Rail commuter system, vehicle tracking company Vyncs, and Saudi infrastructure firm Unimac.

Tri-Rail confirmed it experienced a cyberattack roughly a month ago, although officials said no critical data was compromised. Vyncs owner Agnik also acknowledged a breach and said the FBI had a “pretty good understanding” of the attackers.

Researchers believe the group has targeted several other undisclosed organizations across Israel and Turkey.

The allegations come amid a broader surge in cyber operations attributed to Iranian hackers since the outbreak of conflict involving the US, Israel, and Iran earlier this year.