A cyberattack that disrupted parts of Los Angeles’ public transit network earlier this year has now been linked to a hacking group allegedly connected to Iran’s intelligence apparatus, according to new findings from an Israeli cybersecurity company.
The LA public transport cyberattack, which targeted the Los Angeles County Metropolitan Transportation Authority (LACMTA) in March, was reportedly carried out by a group known as “Ababil of Minab,” researchers at Tel Aviv-based Gambit Security said in a report released Tuesday.
According to Gambit, the Iranian hackers behind the incident not only stole sensitive data but also attempted to damage systems and interfere with recovery efforts. The attack forced LACMTA to temporarily shut down portions of its network and disrupted several digital services used by passengers across Los Angeles.
Gambit Finds Evidence Linking Iranian Hackers to LACMTA Attack
The cybersecurity firm stated that at least 700 gigabytes of information were taken during the breach. The stolen material allegedly included emails, backups, databases, and other internal files belonging to LACMTA. Gambit said the data was discovered after it was accidentally exposed online.
Researchers added that forensic evidence connected the exposed server to a previously identified hacking campaign that Israeli officials and cybersecurity experts have attributed to Tehran.
The Los Angeles transit authority did not respond to questions regarding Gambit’s findings. However, in a statement released last month, LACMTA officials said they were working with law enforcement agencies and cybersecurity specialists to restore affected systems.
“Attribution is part of the investigation, and we will not speculate,” the statement said.
LA Public Transport Cyberattack Disrupted Passenger Services
The LA public transport cyberattack disrupted several passenger-facing digital systems in Los Angeles, including services displaying train and bus arrival times as well as functions allowing riders to add funds to digital transit cards. Despite the interruptions, LACMTA stated that transportation operations themselves were not affected.
Officials also maintained there was “no indication” that customer or employee data had been compromised.
Still, Gambit’s report suggested the Iranian hackers carried out a far more destructive operation than initially understood. The firm said the attackers deleted virtual machines, databases, and storage volumes while also damaging backup infrastructure.
According to the report, the goal appeared to extend beyond simple data theft.
“In some cases, the attackers also acted to destroy systems and impair the recovery capability of the affected organizations,” Gambit noted.
The attack on LACMTA has drawn increased attention because Los Angeles is scheduled to serve as one of the host cities for the FIFA 2026 World Cup, which begins on June 11, 2026. Cybersecurity experts have warned that transportation infrastructure could become an increasingly attractive target ahead of major international events.
Ababil of Minab Claimed Responsibility for the Los Angeles Cyberattack
Suspicion surrounding Iranian hackers emerged shortly after an obscure group calling itself “Ababil of Minab” publicly claimed responsibility for the attack. Approximately two weeks after LACMTA detected the intrusion around March 16, the group appeared online and said it had wiped large amounts of data during the operation.
The hackers also released a video that allegedly showed them navigating through the Los Angeles transit agency’s network during the cyberattack.
The name “Ababil of Minab” references a deadly bombing at a girls’ school in the Iranian city of Minab, where officials said more than 175 children and teachers were killed. Researchers noted that the group’s rhetoric and tactics closely resemble those used by so-called vigilante hacking groups that American and Israeli analysts believe operate as fronts for Iranian intelligence services.
Despite those allegations, the threat actor group has claimed to be an independent activist organization.
Eyal Sela, Gambit’s director of threat intelligence, said experts had already suspected a connection between Ababil and the Iranian government before the latest forensic findings emerged.
“A connection between Ababil and the Iranian state has been a working assumption,” Sela said.
“What our research adds is the forensic evidence to support it.”
