Iranian Hackers Linked to LACMTA Breach, Employing Destructive Tactics
A recent report by **Gambit Security** has linked the March breach of the Los Angeles County Metropolitan Transportation Authority (LACMTA) to Iranian hackers with ties to the Ministry of Intelligence of the Islamic Republic of Iran (**MOIS**). The group, known as **Ababil of Minab**, initially claimed to be a hacktivist crew, but evidence suggests a direct connection to previous Iran-backed cyber activities.
## Iranian Hackers Behind LACMTA Breach: Gambit Security Report
Researchers at **Gambit Security** have released a report detailing the connection between the hacking group **Ababil of Minab** and the **MOIS**. The group claimed responsibility for the LACMTA breach, asserting they exfiltrated data and damaged the transit system's infrastructure.
### Evidence Linking Ababil of Minab to MOIS
The report highlights forensic evidence linking **Ababil of Minab** to prior Iran-backed hacks, including activities previously attributed to Iranβs intelligence service by Israelβs National Cyber Directorate. The researchers also discovered custom exfiltration tools used by the group.
### Destructive Tactics
According to the report, the attackers employed a multi-faceted approach to inflict maximum damage, targeting virtualization, storage, and backup infrastructure to prevent recovery. This involved both automated scripts and manual intervention to erase databases, virtual machines, and storage volumes.
> βWhere destruction occurred, the playbook combined multiple techniques across virtualization, storage, and backup infrastructure to deny recovery,β the report states.
### Broader Targeting
Beyond the LACMTA breach, **Ababil of Minab** is implicated in attacks against a range of organizations, including an Israeli media outlet, an Israeli university, a Turkish insurance brokerage, and various websites in the restaurant, culture, digital services, and news sectors. Organizations in Saudi Arabia were also reportedly targeted.
### Velocity and Sophistication of Attacks
The report emphasizes the speed and sophistication of the campaign, noting a shift towards targeting recovery layers directly.
> βModern intrusion operators are moving from initial access straight into the recovery layer, virtualization, backups, storage volumes, to maximize destruction and deny remediation,β according to the report.
### The Rise of AI in Cyberattacks
The report also raises concerns about the increasing accessibility of sophisticated attack techniques due to AI.
> βAs AI capabilities become widely available, any actor, skilled or not, will be able to execute this kind of campaign.β
### MOIS-Linked Groups Masquerading as Hacktivists
**Ababil of Minab** is not the first **MOIS**-linked group to pose as hacktivists. The group **Handala**, which claimed responsibility for a cyberattack on medical device maker **Stryker**, is also believed to be backed by **MOIS**, despite portraying itself as an independent, pro-Palestine group.
<a href="https://www.recordedfuture.com/?utm_source=therecord&utm_medium=ad"><figure><img src="https://cms.therecord.media/uploads/2025_0514_Record_Ads_970x250_1_d144dbf901.png" data-nimg="1" decoding="async" height="500" width="1000" alt="Recorded Future"></figure></a>