Iranian hackers were responsible for a March cyberattack that forced the Los Angeles County Metropolitan Transportation Authority to shut down parts of its network and disrupted some rider systems, Israeli cybersecurity researchers said Tuesday.
Gambit Security, a Tel Aviv-based cybersecurity firm, said in a report that it found forensic evidence linking the intrusion to infrastructure and activity associated with Iran’s Ministry of Intelligence and Security. The company said the campaign involved organizations in the United States, Israel, Saudi Arabia and Turkey.
Reuters reported that the attackers stole at least 700 gigabytes of emails, backups and other files from the Los Angeles transit agency. Gambit said it found the data after it was inadvertently exposed online and traced it to a pro-Iranian persona known as Ababil of Minab.
The breach was detected around March 16, according to Los Angeles transit officials cited by Reuters. The agency later said it was working with law enforcement and cybersecurity specialists to restore systems. It said at the time that attribution was part of the investigation and that it would not speculate.
The Los Angeles County Metropolitan Transportation Authority did not respond to Reuters’ questions about Gambit’s findings. Iran’s mission to the United Nations also did not respond to Reuters’ requests for comment. The FBI told Reuters it was aware of the incident and was coordinating with partners, but declined further comment.
The March incident did not stop buses or trains from running, but it affected some customer-facing systems. ABC7 reported at the time that Metro had limited access to internal administrative computers after detecting unauthorized activity. Station monitors stopped displaying arrival times, and some customers had problems adding money to TAP cards through Metro’s website and customer service lines.
Gambit said Ababil of Minab claimed responsibility for the LA Metro intrusion after surfacing publicly in late March and early April. The firm said the group presented itself as a new hacktivist crew, but its findings indicated the operation was unlikely to be independent.
The company said technical evidence connected the campaign to infrastructure and activity previously associated with an Iran-linked cluster known as Black Shadow, which Israel’s National Cyber Directorate has attributed to Iran’s intelligence ministry. Gambit said it recovered custom data-exfiltration tools and identified additional victim organizations that had not been publicly named by the attackers.
Reuters reported that digital security specialists had suspected an Iranian connection after Ababil of Minab claimed responsibility for the LA Metro attack. The group also claimed responsibility for hacks affecting South Florida’s Tri-Rail commuter system, vehicle-tracking company Vyncs and Saudi infrastructure firm Unimac.
Tri-Rail confirmed to Reuters that it had been hacked about a month earlier, but said none of the affected data was critical. Vyncs owner Agnik said it detected a breach on April 2 and that the FBI was involved. Unimac did not respond to Reuters’ request for comment.
Gambit said the campaign’s destructive activity targeted not only normal IT systems but also recovery infrastructure. The firm said the attackers used multiple techniques to delete virtual machines, databases, storage volumes and backup systems. That kind of attack can make recovery slower because organizations may have to rebuild systems, restore offsite copies and repair backup infrastructure before normal operations can resume.
The report adds to concern over cyber operations tied to the broader conflict involving the United States, Israel and Iran. Reuters said Iranian hackers have been accused of carrying out a series of digital operations since the U.S. and Israel launched a war against Iran in late February, including attacks on a medical device company and the leak of personal emails belonging to FBI Director Kash Patel.
The LA Metro case also highlights the vulnerability of public infrastructure systems that rely on administrative networks, customer payment tools and real-time information displays. Even when transportation service continues, disruptions to fare systems, arrival screens and internal systems can affect riders and complicate agency operations.
Gambit said the campaign shows that cyber defense must focus not only on preventing intrusions but also on whether organizations can recover after attackers reach backup and recovery systems. The firm said operators should verify that backups are isolated, protected by strong access controls and tested against realistic attack scenarios.