Iranian state hackers breached the Los Angeles transit system and wiped data to extend the disruption

Iranian state-backed hackers breached the Los Angeles County Metropolitan Transportation Authority (LACMTA) in March 2026, stealing data and then deliberately deleting it to maximize disruption — a tactic that forced the agency into a multi-week recovery operation, according to TechCrunch reporting by Lorenzo Franceschi-Bicchierai. The attack was attributed to Iran's Ministry of Intelligence and State Security (MOIS) by Israeli cybersecurity firm Gambit Security, operating under the fake hacktivist persona "Ababil of Minab."

The disclosure adds a major US public infrastructure target to a growing list of Iranian cyber operations that have intensified in 2026 following US and Israeli military strikes against Iran earlier in the year. LA Metro is the second-largest public transit system in the United States, serving over 300,000 riders daily across buses, light rail, and subway lines.

How the Attack Unfolded

The intrusion began in March 2026. The attackers gained access to LACMTA systems, exfiltrated data, and then wiped the stolen files from the agency's own infrastructure — a double-impact tactic designed not just to steal information but to degrade the agency's operational capacity and extend the recovery timeline. LACMTA confirmed the breach in April 2026. The agency did not publicly disclose the full scope of what was stolen or deleted, but recovery from the data destruction took several weeks.

The group behind the attack used the name "Ababil of Minab" — a reference to a US airstrike on a school in the Iranian city of Minab that killed over 175 people, most of them children, during the early 2026 US-Iran military confrontation. The use of a geopolitically charged fake persona is a consistent tactic in Iranian state-sponsored operations: it allows MOIS to pursue strategic cyber objectives while creating plausible deniability and amplifying the propaganda value of successful intrusions.

Attribution and the Broader Pattern

Gambit Security's attribution of the attack to MOIS operatives fits a documented pattern. Iranian threat actors, including groups operating under the MOIS umbrella, have increasingly adopted "hack-and-leak" and "hack-and-destroy" tactics against US critical infrastructure — moving beyond the espionage-focused operations that characterized earlier Iranian activity into operations designed for disruption and psychological impact.

The same playbook was used earlier in 2026 against Stryker, the US medical technology company, by a group operating under similar hacktivist cover. In both cases, the initial intrusion was followed by data exfiltration, deletion, and a public claim by the fake persona to maximize attention and deny rapid attribution. The tactic creates a gap between the observed disruption and the confirmed state sponsorship, buying time and sowing confusion in the response phase.

The US government had flagged this trend directly. In April 2026, the FBI, CISA, and partner agencies issued a joint advisory warning US critical infrastructure operators of escalating Iranian cyber targeting, specifically calling out transit, healthcare, and utilities sectors as priority targets. The advisory followed a series of FBI seizures of websites operated by pro-Iranian hacking groups earlier in the year.

Why Transit Systems Are Being Targeted

Public transit agencies are an attractive target for state-sponsored disruption operations for several reasons. They run aging operational technology (OT) networks that were not designed with modern cybersecurity requirements in mind. They are heavily dependent on interconnected IT and OT systems for scheduling, ticketing, communications, and safety. And because they serve large urban populations, successful disruptions generate significant public visibility — which is the point for a state actor pursuing psychological impact rather than quiet intelligence collection.

The data-destruction component of the LACMTA attack is particularly noteworthy. Unlike ransomware, where recovery is in principle possible after a ransom payment, deliberate deletion of data is irreversible without functioning backups. If LACMTA's backup systems were also compromised, the multi-week recovery timeline reflects the time required to rebuild systems from partial backups or from scratch — a much more damaging outcome than a typical ransomware incident.

What Other Infrastructure Operators Should Take From This

The LACMTA attack reinforces several lessons that apply broadly to critical infrastructure operators. First, Iranian threat actors are using geopolitical events — US military strikes on Iran — as operational triggers for cyber campaigns that follow quickly. Organizations in sectors previously warned by federal advisories should treat the current geopolitical environment as an elevated threat period, not a baseline one.

Second, backup integrity is now a first-order concern in ransomware and destructive attack defense. The effectiveness of a data-deletion attack depends entirely on whether the target can recover from offline, immutable, air-gapped backups. Organizations that have not tested their backup restoration process under simulated loss-of-infrastructure conditions should treat that gap as urgent.

Third, the fake hacktivist persona pattern means initial public claims of responsibility from unknown groups should not be taken at face value. Attribution takes time, and the delay between an attack and confirmed state attribution is a feature of the operation design, not a bug.