New research from Dataminr detailed that a pro-Iranian threat actor known as Ababil of Minab has claimed responsibility for a cyberattack targeting the Los Angeles County Metropolitan Transportation Authority (LACMTA), alleging access to critical systems, including virtualization infrastructure, web servers, and an operational rail yard management system. The group published screenshots and video evidence via its Telegram channel and website, asserting it had compromised internal systems. However, the transit agency had not confirmed the breach at the time of reporting.
The Ababil of Minab attackers further claimed to have wiped 500 TB of data and exfiltrated 1 TB of sensitive information, while warning that the incident is ‘only the beginning’ and threatening additional attacks. Screenshots shared by the group appeared to show access to real-time rail yard management and train control displays, raising concerns about potential OT (operational technology) exposure and broader safety implications beyond a conventional IT system compromise. However, the extent of the intrusion remains unverified.
“The group claims administrative access to LACMTA’s VMware vCenter environment — managing approximately 1,421 VMs across 28 physical hosts — as well as IIS web servers hosting dozens of internal and public-facing LACMTA properties,” Dataminr said in its latest Cyber Intel Brief.
“Ababil of Minab is an emerging pro-Iranian hacktivist group with a limited public profile and little verifiable prior activity in threat intelligence reporting — making any definitive capability or intent assessment premature at this stage,” Dataminr wrote in its post. “Despite this low prior visibility, Dataminr’s real-time monitoring surfaced the group’s claims at the point of initial publication, providing early warning ahead of traditional intelligence channels.”
It added that “what can be cautiously observed from available evidence is that their explicit pro-Iran messaging and targeting of a major US public transit authority is broadly consistent with Iranian-aligned actors’ known pattern of targeting US critical infrastructure. The group’s escalatory language (‘our forthcoming actions will exact sterner pain’) may indicate further activity, though this should be treated as unverified rhetoric until corroborated by additional intelligence.”
The post noted that the Ababil of Minab published claims via their Telegram channel and threat actor website, including a video and multiple screenshots purporting to demonstrate access to live LACMTA internal systems. “The group’s website displays explicitly pro-Iranian messaging. LACMTA has not publicly confirmed or denied the breach at the time of writing.”
Furthermore, “all published screenshots contain an ‘Activate Windows’ watermark in the bottom-right corner of the display. This watermark appears on Windows installations that have not been activated with a valid license.”
Datminr detailed that in a properly managed enterprise environment, such as a large public agency like LACMTA, endpoints are typically activated automatically and silently through volume licensing via a Key Management Service (KMS) server, meaning legitimate LACMTA workstations would not display this watermark under normal circumstances. Its presence across all screenshots suggests they were likely captured from an attacker-controlled virtual machine, a pivot host, or a jump server rather than from a native LACMTA endpoint.
The post added that while this does not invalidate the access claims, attackers routinely use unactivated VMs as operational infrastructure to view and interact with compromised systems remotely, it is a meaningful forensic indicator that should inform any verification effort by LACMTA’s internal security team.
Dataminr identified VMware vCenter Server as one of three distinct system categories reflected in Ababil of Minab’s published evidence, indicating administrative access to LACMTA’s core virtualization environment. The infrastructure appeared to include approximately 1,421 virtual machines, 28 physical hosts, around 430 GHz of CPU capacity, 7.79 TB of RAM, and 45 TB of active storage, with visible system alarms suggesting the environment was live at the time of capture. A compromise at this level would provide attackers with the ability to disrupt large numbers of virtual machines, deploy ransomware at scale, or establish persistent access across the organization’s server environment.
It also found that Microsoft IIS Web Server administrator-level access to an IIS instance hosting numerous internal and public-facing web properties. This access level could enable web defacement, credential interception via the SSO portal, and lateral movement into backend application infrastructure.
The most operationally sensitive system visible in the published evidence appears to be a rail yard management and train control display system, showing real-time rail car positions, track occupancy, car availability, and out-of-service counts for one of LACMTA’s division yards. This represents an operational technology environment, where unauthorized access could carry significant safety implications and may trigger critical infrastructure reporting requirements to agencies, the Cybersecurity and Infrastructure Security Agency (CISA), and the Transportation Security Administration (TSA).
Dataminr advised immediate action to contain and assess the potential impact of the incident, beginning with a full audit of the VMware vCenter environment to identify unauthorized administrator accounts, recent configuration changes, snapshot activity, or virtual machine deletions, alongside a review of audit logs for sessions originating from unexpected IP ranges.
It also emphasized the urgency of verifying that rail yard management and train control systems are fully segmented from internet-facing IT networks, calling for immediate isolation measures and notification of operations and safety teams if any IT-to-OT connectivity is detected.
The guidance further recommends auditing IIS web servers for unauthorized file modifications, web shell activity, or configuration changes, particularly within single sign-on portals, while enforcing password resets for privileged accounts across affected systems, including service accounts with broad access.
Organizations are also urged to assess regulatory reporting obligations to agencies such as the CISA and TSA, continue monitoring threat actor channels for new disclosures, and block known indicators of compromise, including domain activity linked to the group’s infrastructure.
