A cyberattack that disrupted Los Angeles public transit systems in March 2024 has been linked to Iranian intelligence services, according to research published by Tel Aviv-based cybersecurity firm Gambit Security. The attack targeted the Los Angeles County Metropolitan Transportation Authority (LACMTA), forcing temporary shutdowns of network portions and disrupting digital services used by passengers throughout the city. A hacking group calling itself "Ababil of Minab" claimed responsibility approximately two weeks after LACMTA detected the intrusion on March 16.
Gambit Security's investigation revealed that attackers exfiltrated at least 700 gigabytes of sensitive information, including emails, backups, databases, and internal files. Researchers discovered the stolen data after it was accidentally exposed online, with forensic evidence connecting the exposed server to a previously identified hacking campaign attributed to Tehran by Israeli officials and cybersecurity experts. The group's name references a 2023 bombing at a girls' school in Minab, Iran, where officials reported over 175 casualties.
The attack went beyond simple data theft, according to Gambit's findings. Attackers deliberately deleted virtual machines, databases, and storage volumes while damaging backup infrastructure to impair LACMTA's recovery capabilities. The hackers also released a video purportedly showing them navigating through the transit agency's network during the operation. Passenger-facing systems affected included train and bus arrival time displays and digital transit card funding functions, though LACMTA stated that actual transportation operations continued without interruption.
LACMTA has not confirmed Gambit's attribution findings and declined to comment on the research. In a statement released last month, transit authority officials said they were collaborating with law enforcement agencies and cybersecurity specialists to restore affected systems, adding that "attribution is part of the investigation, and we will not speculate." The agency has maintained there was no indication that customer or employee data was compromised, contradicting Gambit's assessment of the breach's scope.
The attack has raised concerns among cybersecurity experts given Los Angeles' role as a host city for the FIFA 2026 World Cup, which begins June 11, 2026. Transportation infrastructure may become an increasingly attractive target ahead of major international events. Eyal Sela, Gambit's director of threat intelligence, noted that while a connection between Ababil and the Iranian state had been a working assumption among analysts, the firm's research provides forensic evidence to support that attribution. The group claims to operate as an independent activist organization, though researchers say its rhetoric and tactics closely resemble those of vigilante hacking groups believed to serve as fronts for Iranian intelligence services.
Source: https://thecyberexpress.com/la-public-transport-cyberattack/