Iran-Linked Hackers Tied to Los Angeles Transit Cyberattack, Researchers Say

A cyberattack that disrupted systems at the Los Angeles County Metropolitan Transportation Authority is now being attributed to Iranian state-backed actors, according to new research that points to a broader escalation in cyber activity targeting U.S. infrastructure.

Researchers at Gambit Security say the group behind the March breach, calling itself Ababil of Minab, is likely linked to Iran’s Ministry of Intelligence and State Security. The group had claimed to act independently, but investigators say the evidence suggests otherwise.

“They are not a new, standalone hacktivist crew as they claim,” said Gambit.

The incident fits a growing pattern of state-backed actors posing as hacktivists to blur attribution and amplify impact. Similar tactics have been seen in campaigns tied to Handala, which was linked to a destructive attack on Stryker earlier this year.

Security experts say transit systems are especially vulnerable due to their interconnected infrastructure and public visibility.

“This incident reflects a broader shift we are seeing in Iranian cyber operations: the growing willingness to combine espionage, disruption, and psychological impact in a single campaign,” said Ensar Seker, CISO at SOCRadar.

Even without impacting safety systems, attacks on scheduling, communications, or internal platforms can create widespread disruption. In this case, the reported theft of large volumes of internal data adds another layer of risk.

“The theft of hundreds of gigabytes of internal data alongside network disruption suggests the attackers were not simply conducting intelligence collection, but also positioning themselves for coercive influence and operational impact,” Seker said.

The breach highlights a larger trend as geopolitical tensions increasingly play out in civilian infrastructure.

“Transportation, healthcare, energy, and municipal services are becoming symbolic and strategic targets for adversaries seeking asymmetric pressure,” Seker added.

As investigations continue, the attack underscores how modern cyber campaigns are blending disruption, data theft, and influence operations into a single playbook.