Researchers from Israeli cybersecurity firm Gambit Security claim that Iranian hackers caused a severe computer breach in March, leading to parts of Los Angeles’ transit network shutting down. The breach, targeting the Los Angeles County Metropolitan Transportation Authority (LACMTA), resulted in the theft of at least 700 gigabytes of emails, backups, and other files.
Gambit Security, based in Tel Aviv, discovered this information after the stolen data was accidentally exposed online. Their report, released Tuesday, links the server where the data was found to a hacking operation previously attributed to Tehran by Israeli officials and researchers.
The mission of Iran to the United Nations and Israel’s National Cyber Directorate did not respond to inquiries for comments. LACMTA also refrained from commenting on the findings but stated last month that they were collaborating with law enforcement and cyber experts to restore their systems. They clarified, “Attribution is part of the investigation and we will not speculate.”
Evidence initially pointing to Iranian involvement emerged after a group named Ababil of Minab claimed responsibility. The group’s name refers to a tragic incident in Minab, where a girls’ school bombing resulted in the deaths of over 175 children and teachers. Their methods align with known vigilante hacker groups, allegedly proxies for Iranian espionage, according to U.S. and Israeli researchers.
Eyal Sela, director of threat intelligence at Gambit, stated, “What our research adds is the forensic evidence to support it.” Gambit was founded by veterans of Unit 8200, Israel’s equivalent of the U.S. National Security Agency. The firm has alerted relevant authorities about its findings.
The group Ababil did not respond to messages left on their website. The FBI acknowledged awareness of the incident, stating they are “coordinating with partners in response,” though declined to provide further comment. The Cybersecurity and Infrastructure Security Agency didn’t respond to comment inquiries.
LACMTA identified the intrusion around March 16. Shortly after, Ababil announced online that they had erased substantial data through a cyberattack. They released a video claiming to show their access to the transit system’s network. Despite LACMTA officials’ assurance that train and bus operations continued, local media reported disruptions, such as malfunctioning arrival screens and issues with transit card payments.
Ababil also claimed responsibility for hacking South Florida’s Tri-Rail transit system, vehicle tracking company Vyncs, and Saudi firm Unimac. Tri-Rail confirmed a hack a month prior without critical data being compromised. Vyncs recognized a breach on April 2 but did not disclose data details. Both Tri-Rail and Vyncs reported FBI involvement in the investigations.
Gambit Security’s analysis of online data suggests that Ababil has also targeted a media organization and educational institution in Israel and an insurance company in Turkey, though these were not publicly named.
The breach is part of a series of digital attacks by Iranian hackers since the U.S. and Israel began a campaign against Iran in February. Allegedly, these include a cyber assault on medical device company Stryker and leaking personal emails of FBI Director Kash Patel. They are also suspected of disrupting gas station fuel gauges, as reported by CNN.