Iranian hackers working for Tehran’s Ministry of Intelligence and Security stole at least 700 gigabytes of files from Los Angeles Metro in March and reached the rail-yard control display for Division 11, according to a report published Tuesday by Gambit Security, the Tel Aviv firm that found the data sitting on an attacker-owned server exposed to the open internet.
The attribution is the third public link in three months between MOIS-tied operators and a United States civilian target, and the second time private Israeli researchers have moved faster than Washington to put a flag on a Tehran doorway.
Division 11 and the Rail-Yard Screen the Hackers Reached
The intrusion at the Los Angeles County Metropolitan Transportation Authority (LACMTA) was detected around March 16. By the time it surfaced publicly on April 9, the pro-Iran outfit Ababil of Minab was posting screenshots on Telegram claiming a far deeper sweep than the agency had disclosed.
The Dataminr intel brief on the LA Metro intrusion cataloged what the attackers said they touched:
- Administrative access to VMware vCenter infrastructure managing roughly 1,421 virtual machines across 28 physical hosts
- Microsoft IIS web servers hosting public-facing properties including boardclerk.metro.net and sso.metro.net
- A real-time rail-yard management and train-control display known internally as Division 11
- Unverified claims of 500 terabytes of data destruction and 1 terabyte of exfiltration
Gambit later cross-checked these claims against a misconfigured server it found in the wild, narrowing the confirmed haul to roughly 700 gigabytes of emails, backup archives and operational files. The screenshots Ababil published carry an “Activate Windows” watermark, suggesting they came from an attacker-controlled pivot host rather than native LACMTA endpoints.
Service-side, the breach did not stop trains or buses. It did black out arrival screens at several stations and locked riders out of topping up TAP fare cards for a window. That gap between operational damage and the data lake the hackers carried away is the gap regulators tend to undercount.
Why MOIS Hides Behind the Ababil Persona
Ababil of Minab takes its name from the February 28 US airstrike on a girls’ school in the southern Iranian town of Minab. Iranian officials say the attack killed more than 175 children and teachers. The group’s rhetoric, its threat of “forthcoming actions to exact sterner pain,” and its narrow Telegram-and-website distribution all match the pattern of self-styled hacktivist fronts that Israeli and US researchers have repeatedly traced back to Iranian intelligence.
The clearest precedent is Handala, the persona that the US Justice Department formally attributed to Iran’s Ministry of Intelligence and Security on March 20. Handala has spent the spring claiming the Stryker wipe and the leak of FBI Director Kash Patel’s personal emails. Gambit’s report places Ababil in the same category.
Attribution to the Iranian state has been a working assumption. What our research adds is the forensic evidence to support it.
That line is from Eyal Sela, Gambit’s director of threat intelligence, in the firm’s Tuesday report. The forensic piece matters because it converts a Telegram boast into a chain a court or sanctioning body can follow.
The Wartime Tempo Since February 28
Read alone, the LACMTA story looks like a single bad day for a municipal transit agency. Read alongside the rest of the spring’s incidents, it looks like the operational tempo of a state at war.
Stryker, March 11
Eleven days after the kinetic war began, the Handala group compromised the medical-device giant’s Microsoft Intune administrator account and pushed a simultaneous factory-reset command to more than 200,000 enrolled devices across 79 countries. Order processing, manufacturing and shipping went dark for days. The Justice Department named Iran’s MOIS as the operator nine days later.
Patel’s Gmail, March 27
Handala published more than 300 emails and photos from what appeared to be the FBI Director’s personal Gmail account, with messages dated roughly 2011 to 2022. The bureau acknowledged the breach, called the material “historical in nature,” and posted a reward of up to ten million dollars for information on the group.
Gas-Station Tank Gauges, Mid-May
US officials told reporters this month that Iranian operators had probed unsecured automatic tank-gauge (ATG, the controllers that report fuel volumes back to station operators) systems in multiple states, in some cases tampering with display readings without altering actual fuel levels. The risk frame is straightforward: an attacker who can hide a leak indicator can also help one go undetected.
Stack those alongside the LA breach and a single cadence becomes legible. The Canadian Centre for Cyber Security’s bulletin on Iranian cyber threat response to the February strikes told private operators to expect exactly this rhythm: opportunistic intrusions of soft civilian targets, hack-and-leak operations against named officials, and intermittent operational-technology probes designed to telegraph capability without quite crossing a redline.
| Date detected | Target | Claimed operator | What they reached | US attribution status |
|---|---|---|---|---|
| March 11 | Stryker | Handala | 200,000+ corporate devices wiped via Intune | DOJ named MOIS, March 20 |
| March 16 | LA Metro (LACMTA) | Ababil of Minab | 700 GB files, rail-yard display | FBI “coordinating”; no public name |
| March 27 | Kash Patel personal Gmail | Handala | 300+ emails, 2011 to 2022 | FBI confirmed breach; no formal attribution |
| Around April 2 | Vyncs / Agnik (vehicle tracking) | Ababil of Minab | Undisclosed dataset | FBI engaged; no public name |
| Mid-May | US gas-station tank gauges | Suspected Iran | ATG display readings tampered | Officials suspect; no formal attribution |
Tri-Rail, Vyncs and the Civilian-Target Pattern
Beyond Los Angeles, Ababil has claimed three other intrusions that fit the same shape. South Florida’s Tri-Rail commuter system confirmed it had been hacked “about a month ago” but said none of the affected data was critical. Vyncs, the consumer vehicle-tracking product, was breached around April 2 according to its owner Agnik, which said the FBI “has a pretty good understanding of who these criminals are” but declined to characterize the stolen data. Unimac, the Saudi infrastructure firm Ababil also named, has not responded publicly.
The Tel Aviv researchers said the group’s victim list runs further than its public boasts. Sela said his team identified additional, undisclosed Ababil intrusions at a media organization and an educational institution in Israel and an insurance brokerage in Turkey.
What links these targets is what they are not. None are federal classified networks. None are NATO weapons programs. They are commuter rail boards, fleet-tracking startups, gas-station back ends, hospital supply chains. The choice is deliberate. Soft civilian operators with limited security budgets are where a state actor can demonstrate reach, generate media noise, and stress-test defender response without triggering Article 5 conversations.
And these are the targets where, as civilian cyber-warfare exposure has compounded across the past decade, the gap between offensive capability and defensive readiness is widest.
Gambit, Unit 8200, and Private Attribution Work
Gambit Security launched in 2024 with three Unit 8200 alumni at the helm: CEO Alon Gromakov, CPO Sa’ar Elias and CTO May Kogan. The firm closed a $56 million round earlier this year, marketed around cyber-resilience rather than intrusion forensics, which makes its public attribution report on LACMTA a notable widening of brief.
The methodology Gambit described is unglamorous and effective. Its analysts found 700 gigabytes of LACMTA material sitting on a misconfigured server, then matched configuration fingerprints from that server to infrastructure already linked in prior research to Iranian campaigns. No zero-day. No undisclosed informant. Just a careless storage bucket and a database of known bad infrastructure.
That methodology is part of why Israel’s 8200-veteran cyber industry now publishes faster than the US interagency cycle can clear language for release. Where Washington needs DOJ, FBI, CISA and ODNI to sign the same document, a Tel Aviv firm with a quarterly threat brief needs only its own counsel.
The trade-off is real. Private attribution is published on a vendor’s timeline, framed by a vendor’s commercial interest, and not subject to the evidence chain a sanctioning body requires. But for the riders whose TAP cards stopped working in March, a Tel Aviv firm’s name on the breach is more public information than they have so far received from any US agency.
What the FBI Confirms and What It Does Not
The official US posture on LACMTA so far is a sentence and a half. The Federal Bureau of Investigation said it was aware of the incident and was “coordinating with partners in response,” then declined further comment. The Cybersecurity and Infrastructure Security Agency did not return requests for comment. LACMTA itself said only that “attribution is part of the investigation and we will not speculate.” Iran’s mission to the United Nations and Israel’s National Cyber Directorate also did not respond.
Stack that against the Justice Department’s posture on the medical-device wipe, where formal MOIS attribution came nine days after the intrusion, and a pattern emerges: the federal government is publicly naming Iran on attacks that hit Fortune 500 enterprises and federal officials, and staying quiet on attacks that hit municipal operators and consumer tech companies.
That asymmetry has consequences. Local agencies left to negotiate their own breach disclosures with an unnamed adversary tend to under-invest in attribution-driven mitigations. They patch what was hit. They do not necessarily harden against the operator who hit them, because they have not officially been told who that operator is. Israel’s parallel Iranian incidents around the region in the same window show how quickly an unnamed adversary becomes a permanent one.
If the next Ababil disclosure names a US water utility, an airport baggage system or a county election database, the question for Washington will be whether private threat-intel firms keep getting there first. If that pattern holds through the summer, the operational story of this war’s cyber front will end up written by Tel Aviv quarterly reports rather than US federal advisories, and the riders, patients and motorists on the receiving end will read about who breached their systems from a foreign vendor’s PDF.
