EMET NEWS PRESS

The cyber operation against the Los Angeles County Metropolitan Transportation Authority (LACMTA) is currently assessed with moderate confidence as being conducted by Iran-affiliated structures, most likely linked to the Iranian Ministry of Intelligence (MOIS). The attribution is primarily based on forensic findings by the Israeli security firm Gambit Security, including reuse of command-and-control infrastructure, overlaps with previous MOIS/Black Shadow campaigns, and matching TTP profiles. Independent validation by U.S. authorities (FBI, CISA) or European partners has not been publicly released. Due to the ongoing regional conflict, a potential source and attribution bias must be explicitly considered.In mid-March 2026, the actor group operating under the name “Ababil of Minab” executed a multi-phase hybrid operation. Following initial access — most likely via compromised credentials or phishing — the attackers conducted systematic lateral movement within the administrative IT environment. They gained privileged access to VMware vCenter infrastructure (approximately 1,400 virtual machines on 28 physical hosts), IIS web servers, and backup systems. At least 700 GB of sensitive data were exfiltrated, including email archives, network documentation, administrative configurations, and backup files. This was followed by a destructive phase involving scripted and manual deletion of resources in management consoles. The group subsequently released proof-of-compromise videos and screenshots, claiming access to virtualisation layers and, according to their statements, a Rail Yard Management System (Division 11).As of current knowledge, the compromise remained confined to the IT layer. No confirmed penetration of operational technology (OT) systems — such as signalling, train control, or safety-critical infrastructure — has been established. Public transport operations (buses and light rail) continued without disruption. Claims by the group of deleting up to 500 TB and exfiltrating 1 TB are considered significantly exaggerated and serve primarily psychological and propaganda purposes.The observed Tactics, Techniques, and Procedures (TTPs) — initial access, privilege escalation in virtualisation environments, combined exfiltration and wiper-like destruction, plus coordinated information operations via Telegram and dedicated leak sites — show clear parallels to previous Iran-attributed campaigns. However, these patterns are not exclusive to Iranian actors. The use of a proxy persona with ideologically charged narrative (referencing the U.S. strike on Minab) provides plausible deniability and narrative control.The group demonstrated high operational discipline, professional communication management, and a sophisticated mix of automated scripts and hands-on-keyboard activity, possibly supported by AI tools. This profile suggests a coordinated or at least indirectly supported proxy architecture rather than an autonomous hacktivist collective. Direct operational control by MOIS units cannot currently be forensically proven.This incident fits into the observed escalation of Iran-linked hybrid activities against Western critical infrastructure since 2025. It exemplifies the contemporary paradigm of conflict below the threshold of open warfare: deliberate creation of uncertainty, erosion of public trust in state resilience, and demonstration of infrastructural vulnerability. At the same time, it reveals the limitations of such operations — despite weeks of recovery efforts at LACMTA, no sustained operational disruption occurred.

[DE] 

Die Cyberoperation gegen die Los Angeles County Metropolitan Transportation Authority (LACMTA) wird mit moderatem Confidence Level vorläufig iranisch-nahen Strukturen (MOIS) zugeschrieben. Die Attribution basiert vor allem auf Erkenntnissen des israelischen Unternehmens Gambit Security und umfasst Infrastruktur-Überschneidungen sowie TTP-Parallelen zu früheren Kampagnen. Eine unabhängige Bestätigung durch US-Behörden (FBI, CISA) liegt nicht vor.Mitte März 2026 exfiltrierte die Gruppe „Ababil of Minab“ nach Initial Access und lateraler Bewegung mindestens 700 GB administrativer Daten aus VMware vCenter- und Backup-Systemen. Anschließend erfolgten Löschaktionen und die Veröffentlichung propagandistischer Proof-of-Compromise-Materialien. Die Kompromittierung blieb auf die IT-Ebene beschränkt; eine Penetration betriebskritischer OT-Systeme konnte nicht nachgewiesen werden. Der Fahrbetrieb blieb vollständig unbeeinträchtigt.Der Angriff zeigt hohe operative Disziplin und typische Proxy-Merkmale. Er verdeutlicht das iranische Muster hybrider Einflussoperationen: Erzeugung von Unsicherheit und Vertrauenserosion unterhalb der Eskalationsschwelle.  

References

Gambit Security. (2026). Attacking the recovery layer: An Iran-MOIS case study – Ababil of Minab Technical Report. Tel Aviv.

Reuters. (May 26, 2026). Iranian hackers responsible for Los Angeles transit system breach, Israeli researchers say.

TechCrunch. (May 26, 2026). Iranian hackers blamed for breach of Los Angeles transit system that took weeks to recover.

NBC News. (May 26, 2026). Iranian hackers responsible for Los Angeles transit system breach, Israeli researchers say.

SecurityWeek. (May 27, 2026). LA Metro Cyberattack Linked to Iranian State-Sponsored Hackers.

Los Angeles Times. (April 2, 2026). LA Metro confirms it was hacked, is getting systems back online.

Industrial Cyber. (April 15, 2026). Ababil of Minab claims cyberattack on LACMTA.

Dataminr. (April 2026). Pro-Iran actor Ababil of Minab claims cyberattack on LA Metro.

 

Glossary  

Ababil of Minab

The threat actor group that claimed responsibility for the LACMTA cyberattack.Data Exfiltration

Unauthorized transfer of data from the victim’s network to an attacker-controlled location.

Hybrid Operation

Combined cyber and information warfare activities below the threshold of armed conflict.

Information Operation (IO)

Coordinated use of information (leaks, videos, propaganda) to influence public perception or achieve strategic goals.

Initial Access

The first successful entry into a target network, often via phishing, compromised credentials, or vulnerabilities.

LACMTA

Los Angeles County Metropolitan Transportation Authority (LA Metro) – the public transit operator for Los Angeles County.Lateral Movement Technique used by attackers to move horizontally across a network to gain access to additional systems.

MOIS

Ministry of Intelligence and Security – Iran’s primary civilian intelligence service.

Moderate Confidence

Intelligence assessment level indicating the attribution is assessed as more likely than not, but not certain.

Operational Technology (OT)

Hardware and software that detect or cause changes through direct monitoring and control of physical devices (e.g., train signalling, rail control systems).

Plausible Deniability

The ability to deny involvement in an operation with a reasonable chance of being believed.

Privilege Escalation

Exploiting weaknesses to obtain higher-level permissions (e.g., administrator rights).

Proxy Group / Proxy Actor

A front organization or persona used to conceal the identity and involvement of a state sponsor.

TTPs

Tactics, Techniques, and Procedures – the behavioral patterns of threat actors.

VMware vCenter

Centralized management platform for virtualized environments (used by LACMTA for server virtualization).

Wiper-like Destruction

Destructive actions designed to delete or corrupt data and systems, similar to wiper malware.