Researchers say the March cyberattack on Los Angeles Metro was likely carried out by Iranian state-linked hackers, not just a self-described hacktivist group. LA Metro said the breach caused internal operational disruption and required hundreds of servers to be checked before restoration, while the attackers claimed to have wiped hundreds of terabytes and stolen more than 1 terabyte of data. Gambit linked the operation to infrastructure associated with Black Shadow, a group previously attributed to Iran's Ministry of Intelligence and Security, and said the attackers also accessed systems including virtualization management, Microsoft IIS servers, and a train-monitoring operational technology system.
Why it matters: A breach at a major transit agency raises concern not only about data theft but also about disruption to public services and potential access to operational systems. Transit operators and other public-sector defenders should review exposure of administrative platforms and monitoring systems, hunt for data theft and destructive activity, and treat claimed hacktivist incidents as possible state-backed operations.
2026.05.27
98% relevant
This is the same underlying event: the March breach of the Los Angeles County Metropolitan Transportation Authority. The article adds that Gambit Security attributes the operation specifically to an Iran MOIS-linked group calling itself Ababil of Minab, describes destructive activity against databases, virtual machines, storage volumes, and backups, and notes additional victims in Israel, Turkey, Saudi Arabia, and other sectors.
Eduard Kovacs
2026.05.27
100% relevant
This article establishes a distinct tracked story by adding substantive attribution and technical context to the previously reported LA Metro breach, tying the incident to Iranian state-linked infrastructure and broader targeting.
← Back to all stories