Iran-linked hackers reached LA Metro’s rail-yard control display in March, Israeli firm finds

Iranian hackers were behind the cyber-attack that forced parts of the Los Angeles County Metropolitan Transportation Authority offline in March, according to research published on Tuesday by Gambit Security, a Tel Aviv cybersecurity firm that says it traced 700 gigabytes of stolen emails, backups and other files back to a server tied to a previously identified Iranian campaign.

The data was found, the firm said, after it was inadvertently left exposed on a publicly reachable server. From there, Gambit’s analysts followed configuration fingerprints back to an operation that Israeli officials and external researchers have separately attributed to Tehran.

The conclusion is not that an Iranian government unit personally typed the commands but that the infrastructure used in the LACMTA intrusion is part of a known Iranian apparatus.

The intrusion itself ran for several days in March before LACMTA’s security team noticed unauthorised activity and severed parts of its network. Bus and light-rail services kept running.

The 💜 of EU techThe latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!A group calling itself Ababil of Minab claimed responsibility in early April, posting Telegram screenshots that purported to show access to virtualisation infrastructure, web servers and, more concerningly, a rail yard management and train control display known internally as Division 11.