The recent disruptive cyberattack that targeted the Los Angeles public transportation system has been linked to the Iranian government.
The Los Angeles County Metropolitan Transportation Authority (LACMTA), widely known as LA Metro, discovered a breach in mid-March. The cybersecurity incident led to internal operational disruptions at LA Metro, but did not impact rail and bus services.
LA Metro representatives said in early April that hundreds of servers had to be checked for signs of compromise before they could be brought back online.
A few days later, the attack on LA Metro was claimed by Ababil of Minab, which purports to be a pro-Iran hacktivist group. The threat actor allegedly wiped hundreds of terabytes of data and exfiltrated more than 1TB worth of files.
The hackers published screenshots and videos to demonstrate that they had access to LA Metro’s internal systems, including a core virtualization management platform, a Microsoft IIS web server instance hosting internal and public-facing assets, and even an operational technology (OT) system used to monitor trains.
“Ababil of Minab is an emerging pro-Iranian hacktivist group with a limited public profile and little verifiable prior activity in threat intelligence reporting — making any definitive capability or intent assessment premature at this stage,” threat and risk intelligence firm Dataminr reported at the time.
Israeli cyber resilience firm Gambit has analyzed the Ababil of Minab group and found links to infrastructure previously used by hackers tied to the Iranian government.
“Our investigation found that Ababil of Minab is unlikely to be a new, standalone hacktivist crew, as they claim,” Gambit said in its report. “Forensic evidence ties the operation to infrastructure and activity associated with Black Shadow, an Iran-linked group, which was attributed by the Israel National Cyber Directorate to Iran’s Ministry of Intelligence and Security.”
Gambit identified attacks launched by Ababil of Minab against organizations in the US, Israel, Saudi Arabia, and Turkey. The attackers were seen exfiltrating data in all attacks and in some cases conducted destructive activities.
“The victims include an Israeli organization in the media sector, an Israeli higher education institution, a Turkish insurance brokerage, and several additional websites across the restaurant, culture, digital services, and news sectors,” Gambit said.
Related: US Confirms Handala Link to Iran Government Amid Takedown of Hackers’ Sites
Related: Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber Tensions
Related: Industry Reactions to Iran Hacking ICS in Critical Infrastructure: Feedback Friday
Related: Stryker Says Malicious File Found During Probe Into Iran-Linked Attack
