Iranian government hackers infiltrated the Los Angeles County Metropolitan Transportation Authority (LACMTA) in March, causing a major security breach that disrupted the transit system for weeks, according to new research from Israeli cybersecurity firm Gambit Security.
The findings highlight growing concerns about foreign interference in American critical infrastructure, particularly as tensions between Iran and the US continue to escalate. The attack represents the latest in a series of Iranian-backed cyberoperations disguised as independent hacktivist movements targeting Western infrastructure and corporations.
Gambit Security reported on Tuesday that forensic evidence links the breach to Iran’s Ministry of Intelligence and State Security (MOIS). A group calling itself “Ababil of Minab” claimed responsibility for the attack, saying they stole and then deleted data from LACMTA’s computer systems.
The group’s name references a 2020 US airstrike on an Iranian school in Minab that killed over 175 people, mostly children. However, Gambit researchers say this is not an independent hacktivist crew as the group claims, but rather another front for Iranian state-sponsored cyber operations.
“They are not a new, standalone hacktivist crew as they claim,” Gambit stated in their analysis. The security firm based its assessment on forensic evidence connecting the group to previous Iran-linked campaigns and activity previously attributed to MOIS by Israel’s National Cyber Directorate.
The LACMTA breach fits a troubling pattern of Iranian cyber activity targeting critical infrastructure. In April, a coalition of US agencies warned that Iranian hackers were specifically targeting American critical infrastructure systems, including transportation networks, power grids, and water treatment facilities.
This latest revelation comes as Iranian-linked cyber groups have significantly increased their operations following military strikes by the US and Israel on Iranian targets earlier this year. Security experts note that Iran often uses cyberattacks as a form of asymmetric warfare when facing conventional military pressure.
The fake hacktivist group strategy has become a signature tactic for Iranian intelligence operations. Earlier this year, another supposed hacktivist group called “Handala” attacked US medical technology giant Stryker, wiping thousands of company systems and employee devices. The FBI later seized Handala’s websites, and the Justice Department formally accused Iran’s government of orchestrating those attacks.
Gambit Security’s investigation also uncovered evidence of similar attacks by the same Iranian operators against companies in Israel, Saudi Arabia, and Turkey, suggesting a coordinated regional campaign against perceived adversaries of the Iranian regime.
The LACMTA attack demonstrates how vulnerable American public transportation systems remain to foreign cyber threats. Transit authorities across the country have struggled with aging computer systems and limited cybersecurity budgets, making them attractive targets for nation-state hackers seeking to cause maximum disruption with relatively low risk of retaliation.
Security researchers warn that these attacks serve multiple purposes for Iranian intelligence: they gather valuable intelligence on American infrastructure vulnerabilities, test cyber weapons and techniques, and send a message about Iran’s ability to strike back against US interests through digital means.