Log In Get Started
Stock Markets May 26, 2026 06:18 AM

Israeli Firm Links March LA Transit Cyber Disruption to Iranian-Linked Hackers

Gambit Security says at least 700 GB of transit emails, backups and files were taken and tied to a server linked to a Tehran-attributed operation

By Leila Farooq

Tel Aviv-based cybersecurity firm Gambit Security reported that hackers tied to Iran carried out a March intrusion at the Los Angeles County Metropolitan Transportation Authority (LACMTA), exfiltrating at least 700 gigabytes of data. Gambit said it discovered the misappropriated files after they were inadvertently exposed online and that forensic traces connect the server where those files were found to a previously observed campaign attributed by Israeli officials and researchers to Tehran. Authorities and several organizations cited in the report have not publicly confirmed attribution.

Israeli Firm Links March LA Transit Cyber Disruption to Iranian-Linked Hackers

Key Points

  • Gambit Security discovered at least 700 gigabytes of LACMTA emails, backups and files exposed on a server linked to a Tehran-attributed campaign.
  • The pro-Iran group Ababil of Minab claimed responsibility and has also claimed hacks at Tri-Rail, Vyncs and Unimac; the FBI is coordinating responses in several cases.
  • The incidents affect public transportation, mobility services, and infrastructure sectors, illustrating cross-sector cyber vulnerability.

Overview

Israeli cybersecurity researchers say an Iranian-linked hacking operation was responsible for a disruptive breach in March that forced parts of Los Angeles’ transit network offline. In a report published by Gambit Security, the Tel Aviv-based firm said it found at least 700 gigabytes of emails, backups and other files taken from the Los Angeles County Metropolitan Transportation Authority (LACMTA) after the stolen data was accidentally exposed on a server it discovered.

Forensic link to a Tehran-attributed campaign

Gambit said the server where it located the misappropriated material left a digital trail tying it to a hacking operation that Israeli officials and researchers have previously attributed to Tehran. The company reported the link in a Tuesday publication and said it provided its findings to relevant authorities.

Gambit’s director of threat intelligence, Eyal Sela, said investigators had been operating on a working assumption that the group taking credit - known as Ababil of Minab - had ties to the Iranian state. "What our research adds is the forensic evidence to support it," Sela said in the company’s report.

Responses from governments and affected organizations

Iran’s mission to the United Nations did not reply to requests for comment, and Israel’s National Cyber Directorate also did not respond to messages seeking reaction to Gambit’s findings. The Los Angeles transit authority did not respond to questions about the security firm’s report.

In a statement issued last month as it worked to restore systems, LACMTA said it was coordinating with law enforcement and cyber specialists. The authority added: "Attribution is part of the investigation and we will not speculate."

The FBI confirmed awareness of the incident and said it was coordinating with partners in response, but declined further comment. The U.S. Cybersecurity and Infrastructure Security Agency did not respond to messages seeking comment.

Who is Ababil of Minab?

Digital security specialists had suspected an Iranian connection after the attack because an obscure pro-Iran group calling itself Ababil of Minab took credit. The group’s name refers to a bombing in the Iranian city of Minab that officials there say killed more than 175 children and teachers. Gambit said the group’s rhetoric and tactics are characteristic of self-styled vigilante hacker outfits that U.S. and Israeli researchers allege operate as cut-outs for Iranian intelligence.

Ababil did not respond to messages left via a contact form on its website, according to Gambit.

Operational details and local impacts

LACMTA said it detected the intrusion around March 16. Roughly two weeks after that detection, Ababil appeared online claiming it had wiped a large quantity of data and published a video that the group said showed it moving through the transit agency’s network.

Los Angeles transit officials have maintained that the breach did not halt train or bus services, but local media reported service interruptions including the disabling of some arrival screens and preventing customers from loading funds onto transit cards.

Other alleged targets and broader campaign

Ababil has also taken credit for cyber incidents affecting other organizations, Gambit’s analysis and reporting indicate. The group claimed responsibility for hacks linked to South Florida’s Tri-Rail commuter system, vehicle tracking company Vyncs, and a Saudi infrastructure firm called Unimac.

Tri-Rail confirmed it had been hacked "about a month ago" and said in a statement that the compromised data was not critical to operations. Vyncs owner Agnik said the company detected its breach on April 2 but declined to describe the nature of the data taken. Both Tri-Rail and Agnik said the FBI was involved in response efforts. Agnik told investigators by email that the bureau "has a pretty good understanding of who these criminals are." Unimac did not respond to requests for comment.

Gambit said the group behind Ababil has also targeted organizations whose identities the company has not publicly disclosed. The firm cited evidence of intrusions into a media organization and an educational institution in Israel, and an insurance brokerage in Turkey, but declined to identify those entities further.

Context cited in the report

Gambit’s findings appear against the backdrop of what the firm and others describe as a steady tempo of alleged Iranian digital operations since the U.S. and Israel launched a war against Iran in late February. The report referenced prior incidents attributed to Iranian hackers, including a damaging assault on the medical device maker Stryker and the leak of personal emails belonging to FBI Director Kash Patel. The report also noted allegations that Iranian actors remotely tampered with fuel gauges at gas stations, an item that was reported by CNN earlier this month.

What Gambit reported to authorities

The security startup, which Gambit noted was founded in part by veterans of Unit 8200 - an Israeli intelligence unit often compared to the U.S. National Security Agency - said it had alerted the relevant authorities after finding the exposed files. Beyond that notification, Gambit provided the forensic analysis it said links the exposed server to the Tehran-attributed operation.

Key points

  • Gambit Security reported at least 700 gigabytes of LACMTA data were stolen and later found exposed on a server linked to a Tehran-attributed hacking operation.
  • The pro-Iran group Ababil of Minab claimed responsibility and has also asserted credit for breaches at Tri-Rail, Vyncs and Unimac; investigators including the FBI are involved in multiple cases.
  • The incidents touch public transportation, private mobility services, and critical infrastructure sectors, underscoring cross-sector vulnerability to destructive cyber operations.

Risks and uncertainties

  • Attribution remains contested - several agencies and affected organizations have either declined to confirm Gambit’s conclusions or have not responded, leaving official attribution unresolved. This uncertainty affects legal and diplomatic responses and may slow remediation efforts - impacting public transit and government cyber response sectors.
  • Operational follow-on risk - the disclosure that substantial volumes of files were exfiltrated and briefly exposed raises the prospect of further data exposure or use, posing continued risk to affected organizations and their customers in transportation, insurance, education and media sectors.
  • Campaign continuity - Gambit and others describe a series of incidents attributed to Iranian-linked actors since late February, indicating a continued tempo of operations that could affect additional civilian and commercial targets across multiple market sectors.

Note: Where organizations or officials did not respond to inquiries, the article reflects that lack of public comment as reported.

Risks

  • Attribution remains unresolved publicly - several agencies and organizations have declined to confirm Gambit’s conclusions, complicating official response and potential diplomatic or legal actions.
  • Stolen files were exposed online, creating the risk of further leaks or malicious use of that data across affected transit, insurance, education, and media organizations.
  • A continued tempo of alleged Iranian-linked operations since late February suggests ongoing threat activity that could target additional civilian and commercial systems, impacting infrastructure and market stability.

More from Stock Markets

S&P Global Upholds Fast-Entry Rules Ahead of SpaceX Public Debut Jun 4, 2026 Insperity Shares Climb After CEO Buys 233,000 Shares Jun 4, 2026 SpaceX Signals Firmness on $135 IPO Price as Roadshow Begins Jun 4, 2026 CME Chief Warns CFTC Approval of Perpetual Crypto Futures Could Create Systemic Risk Jun 4, 2026 AmperCap Raises $125 Million in NASDAQ Listing as It Targets U.S.-Mexico Middle-Market Deals Jun 4, 2026