Media: Cyberattack on Los Angeles metro traced to Iranian network

Israeli cybersecurity researchers say a disruptive March cyberattack on Los Angeles’ public transit system was carried out by Iranian hackers, citing forensic evidence linking the breach to previously identified operations attributed to Tehran.

According to Gambit Security, cited by Reuters, attackers infiltrated the network of the Los Angeles County Metropolitan Transportation Authority and exfiltrated at least 700 gigabytes of data, including emails, backups and internal files. The firm said it discovered the stolen material after it was inadvertently exposed online and traced it to a server tied to known Iranian-linked hacking activity.

In a report published Tuesday, May 26, Gambit said the digital trail supports longstanding suspicions that the attack was connected to Tehran. Eyal Sela, the company’s director of threat intelligence, said a link between the hackers and the Iranian state “has been a working assumption,” adding: “What our research adds is the forensic evidence to support it.”

The intrusion was first detected around March 16, according to LACMTA, which said it was working with law enforcement and cybersecurity experts to restore systems. “Attribution is part of the investigation and we will not speculate,” the agency said in a prior statement. While officials maintained that train and bus operations continued, local media reported disruptions to arrival displays and fare payment systems.

Responsibility for the attack was claimed weeks later by a little-known pro-Iran group calling itself Ababil of Minab, which published a video allegedly showing access to the transit network. Researchers say the group’s rhetoric and tactics resemble those of hacker collectives believed by US and Israeli officials to act as fronts for Iranian intelligence.

The Federal Bureau of Investigation confirmed it is coordinating with partners in response to the incident but declined further comment. Other agencies, including the Cybersecurity and Infrastructure Security Agency, did not respond to requests for comment.

Gambit also linked Ababil to other cyber incidents, including attacks on South Florida’s Tri-Rail system, vehicle tracking firm Vyncs and Saudi company Unimac. Some affected organizations confirmed breaches but provided limited details.

Researchers say the activity forms part of a broader wave of alleged Iranian cyber operations since the escalation of conflict involving the US and Israel in late February, targeting infrastructure, corporations and individuals.