The LA Metro Attack Wasn’t Hacktivism. It Was a State Operation With a Costume On.
The LA Metro Attack Wasn’t Hacktivism. It Was a State Operation With a Costume On.
Publish Date: 2026-05-27 09:51:00
Source Domain: securityaffairs.com
The LA Metro Attack Wasn’t Hacktivism. It Was a State Operation With a Costume On.
Pierluigi Paganini
May 27, 2026
Iran’s “hacktivist” group Ababil of Minab, which hit LA Metro and wiped terabytes of data, is forensically linked to Iran’s intelligence service MOIS.
In late March, a group calling itself Ababil of Minab posted videos and screenshots online claiming it had broken into the Los Angeles County Metropolitan Transportation Authority, wiped hundreds of terabytes of data, and stolen more than a terabyte of files. It framed itself as a pro-Iran hacktivist collective. Researchers at Israeli firm Gambit Security took one look at the infrastructure and didn’t buy it.
LA Metro confirmed the breach on April 2, 2026. The attack forced the authority to check hundreds of servers for signs of compromise before bringing them back online. Rail and bus services kept running, but internal operations were disrupted for weeks. The timing of the intrusion is visible in the attacker’s own footage: at 03:37 AM on March 17, LA Metro posted on X that service alerts were delayed and riders couldn’t load fares on the TAP Mobile App. That tweet went up hours after the attacker had already deleted virtual machines from LA Metro’s vCenter environment. The destruction wasn’t random clicking.
“The actor carried out destruction using two methods: scripted automation and hands-on keyboard. In the scripted mode, the operator runs a program that iterates through an inventory and issues the destructive command against each entry.” reads the report published by Gambit Security. “In the interactive mode, the operator opens the management consoles and operating system tools a legitimate administrator would use and deletes resources by pointing and clicking through them.”
The attacker opened vCenter, selected virtual machines, issued Power Off followed by Delete from Disk, and watched…
