Government-affiliated Iranian hackers were responsible for the cyber attack on the Los Angeles transit system, according to a Tel Aviv-based cybersecurity firm, Gambit Security.
The system breach forced the Los Angeles County Metropolitan Transportation Authority (LACMTA/LA Metro) to shut down parts of the system as a precautionary measure to contain the cyber attack, disrupting online services.
“Due to a technical issue, service alerts will be delayed and riders are unable to load fare on the TAP Mobile App,” LACMTA posted on X. “Please buy or reload your TAP cards via a TVM or at a bus farebox.”
Iranian hackers take credit for LA transit system breach
The cyber attack on the LA transit system enabled suspected government-affiliated Iranian hackers to exfiltrate 700 Gigabytes of data, including backups, emails, and other files.
Subsequently, the Ababil of Minab hacking group claimed responsibility for the breach, leaked the stolen information online, and published a video of its malicious activity across the LA transit system. The name refers to the accidental bombing of a girls’ school in the Iranian city of Minab during the ongoing conflict.
Ababil also claimed responsibility for the cyberattack on South Florida’s Tri-Rail commuter transit system, Agnik’s vehicle-tracking system Vyncs, and Saudi Arabia’s critical infrastructure operator Unimac.
Similarly, Gambit recovered data exfiltration tools associated with previously undisclosed data breaches across multiple countries, including the United States, Israel, Saudi Arabia, and Turkey.
According to the Tel Aviv-based firm, the Iranian hackers employ various tactics to prevent data recovery, including deleting virtual machines and backups via both automated scripts and manual keyboard input. Gambit says each step introduces a recovery challenge, preventing organizations from restoring their systems.
“We analyze the destructive operations performed by the attackers across IT, applications, virtualization infrastructure, and backups: deleting virtual machines, databases, and storage volumes, both automatically via scripts and through hands-on-keyboard activity,” Gambit stated.
The researchers also warned that while the Iranian hackers claim to operate independently, Israel’s National Cyber Directorate (INCD) has previously linked them to Iran’s Ministry of Intelligence and Security (MOIS).
“Our investigation found that Ababil of Minab is unlikely to be a new, standalone hacktivist crew as they claim,” the company stated.
Meanwhile, Gambit has shared its findings with the relevant authorities, and the FBI said it was working with its partners to investigate the incident. The LA transit system also said the system breach did not affect rail lines or customer and employee data.
So far, the attack vector exploited remains unknown, and the LA transit system has yet to attribute the cyber attack to any hacking group.
“This incident reflects a broader shift we are seeing in Iranian cyber operations: the growing willingness to combine espionage, disruption, and psychological impact in a single campaign,” said Ensar Seker, CISO at SOCRadar. “Transportation systems are particularly attractive targets because even limited operational disruption can generate immediate public visibility, media attention, and pressure on local governments. In this case, the theft of hundreds of gigabytes of internal data alongside network disruption suggests the attackers were not simply conducting intelligence collection, but also positioning themselves for coercive influence and operational impact.”
Seker also warned that public transit systems are highly interconnected and depend on legacy infrastructure, third-party supply chains, operational technology (OT), and real-time communication.
“That creates multiple attack paths for adversaries linked to state-sponsored ecosystems such as Iran’s MOIS-affiliated actors. Even if attackers do not directly impact train operations or safety systems, disruption to scheduling, internal communications, identity systems, or maintenance platforms can still create significant operational paralysis,” advised Seker.
Iranian hackers continue to target the United States’ critical infrastructure
The system breach comes hot on the heels of another cyber attack by Iranian hackers, which resulted in the manipulation of automatic tank gauge (ATG) systems at numerous gas stations across the United States.
Similarly, Iranian hackers have frequently targeted other critical infrastructure, including water and wastewater treatment facilities, by targeting programmable logic controllers (PLCs).
In 2025, U.S. authorities warned of state-backed Iranian hackers targeting vulnerable networks and entities of interest, such as the Defense Industrial Base, especially those closely working with Israel.
