LA Metro Cyberattack Linked to Iranian State-Sponsored Hackers

The recent disruptive cyberattack that targeted the Los Angeles public transportation system has been linked to the Iranian government.

The Los Angeles County Metropolitan Transportation Authority (LACMTA), widely known as LA Metro, discovered a breach in mid-March. The cybersecurity incident led to internal operational disruptions at LA Metro, but did not impact rail and bus services.

LA Metro representatives said in early April that hundreds of servers had to be checked for signs of compromise before they could be brought back online.

A few days later, the attack on LA Metro was claimed by Ababil of Minab, which purports to be a pro-Iran hacktivist group. The threat actor allegedly wiped hundreds of terabytes of data and exfiltrated more than 1TB worth of files.

The hackers published screenshots and videos to demonstrate that they had access to LA Metro’s internal systems, including a core virtualization management platform, a Microsoft IIS web server instance hosting internal and public-facing assets, and even an operational technology (OT) system used to monitor trains.