Iranian hackers were behind the cyber-attack that forced parts of the Los Angeles County Metropolitan Transportation Authority offline in March, according to research published on Tuesday by Gambit Security, a Tel Aviv cybersecurity firm that says it traced 700 gigabytes of stolen emails, backups and other files back to a server tied to a previously identified Iranian campaign.
The data was found, the firm said, after it was inadvertently left exposed on a publicly reachable server. From there, Gambit’s analysts followed configuration fingerprints back to an operation that Israeli officials and external researchers have separately attributed to Tehran.
The conclusion is not that an Iranian government unit personally typed the commands but that the infrastructure used in the LACMTA intrusion is part of a known Iranian apparatus.
The intrusion itself ran for several days in March before LACMTA’s security team noticed unauthorised activity and severed parts of its network. Bus and light-rail services kept running.
The 💜 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!
A group calling itself Ababil of Minab claimed responsibility in early April, posting Telegram screenshots that purported to show access to virtualisation infrastructure, web servers and, more concerningly, a rail yard management and train control display known internally as Division 11.
The group alleged it had wiped 500 terabytes of data and exfiltrated a further terabyte. LACMTA confirmed partial access by the attackers but did not validate the volumetric claims.
Ababil of Minab took its name from the bombing of a girls’ school in the Iranian city of Minab. US and Israeli researchers have, since its emergence, described it as the kind of self-styled vigilante group that often functions as a cut-out for Iranian state actors, with thin public history and rhetoric that matches Tehran’s.
The Gambit attribution closes some of that distance: a hacktivist front taking credit on one end, a known Iranian server holding the stolen files on the other.
The Los Angeles attack sits inside a broader pattern. Pro-Iran actors have visibly stepped up intrusions into US critical infrastructure over the past year, with documented breaches of municipal water-treatment facilities, gas-station tank-gauge systems and, now, public transit.
The Foundation for Defense of Democracies argued in a May 20 paper that exposed industrial-control systems and weak authentication across US local-government infrastructure have made the attacks easier than they would have been a decade ago.
What Iranian campaigns of this kind have, on the evidence so far, lacked is the operational capability to actually disrupt physical service at the train-control or grid-control level. The LACMTA breach reached a real-time rail yard display but did not, as far as has been disclosed, manipulate it.
Most pro-Iran activity in this category has stopped at data theft and the publication of screenshots intended to embarrass the target, rather than at outright sabotage. The line between those two outcomes is partly defended by good operational-technology segmentation and partly by political constraint. Both, security researchers have argued throughout 2026, are softer than they should be.
LACMTA declined to comment on the Gambit findings on Tuesday. The transit agency said in April that its forensic review was ongoing. The FBI and the Cybersecurity and Infrastructure Security Agency have not publicly attributed the attack.
Get the TNW newsletter
Get the most important tech news in your inbox each week.