Israeli researchers link Iran government to LA Metro cyberattack

Majid Saeedi via Getty Images

Featured eBooks
Artificial Intelligence and Efficiency
Changing Workforce
Future of Tech Infrastructure
Insights & Reports
TDM modernization: An action plan for the copper sunset
Presented By Lumen
Download Now
Accessible PDFs Made Easy: A Compliance Guide for State & Local Governments
Presented By CivicPlusNEW
Download Now
Chris Teale By Chris Teale,
Managing Editor, Route Fifty

By Chris Teale

|

Security company Gambit said the March hack could be traced to Iran’s Ministry of Intelligence and Security, rather than a hacktivist group that had previously claimed responsibility.

A cyberattack that crippled a transit system in Los Angeles in March appears to have been carried out not by a pro-Iran hacker group, but by a government ministry, according to new research.

Gambit, an Israeli security company, said in an analysis released this week that new forensic evidence suggests that the Iran Ministry of Intelligence and Security was responsible for the attack on the Los Angeles County Metropolitan Transportation Authority, known as LA Metro. The attack forced the transit agency to shut down access to some of its network after its security team found unauthorized activity, although it said bus and rail service was unaffected.

Gambit’s analysis found that the group responsible is not a new, standalone hacktivist group, but is instead the group Black Shadow, which has links to Iran’s Ministry of Intelligence and Security. Initially, a new pro-Iranian hacking group called Ababil of Minab had claimed responsibility for the attack and published claims on Telegram that they said showed them accessing LA Metro’s internal systems. Gambit said those claims were false.

Related articles

Iran’s hackers are coordinating more closely: Israeli cyber leader

Pro-Iran hackers appear to ramp up critical infrastructure cyberattacks

Iran-linked hacktivists could target governments, experts warn

According to the research, hackers infiltrated a virtual machine on LA Metro’s network and deleted it, as well as its underlying files. Hours later, LA Metro said a “technical issue” was delaying service alerts and preventing riders from loading fares onto their mobile app. Hackers then continued to infiltrate virtual systems and delete files.

The analysis found that the group had also hit organizations in Israel, Saudi Arabia and Turkey, as well as the South Florida Regional Transportation Authority, where the group took databases offline and deleted them. The hackers also appear to have used ChatGPT to improve their scripts and make their hacks more effective, Gambit said.

“What makes this campaign matter beyond the attribution is the velocity,” Gambit researchers wrote. “Modern intrusion operators are moving from initial access straight into the recovery layer, virtualization, backups, storage volumes, to maximize destruction and deny remediation. The skill required to do that at scale is collapsing in parallel. As AI capabilities become widely available, any actor, skilled or not, will be able to execute this kind of campaign.”

Experts have long warned of the threat Iran could pose to U.S. critical infrastructure as it looks to retaliate for the ongoing war in their country and the surrounding region. Other observers said hacking efforts like the ones made against LA Metro and SFRTA should have officials worried, especially if they are backed by Iranian government agencies.

TJ Sayers, senior director of threat intelligence at the Multi-State Information Sharing and Analysis Center, drew a comparison to Handala Hack Team, which emerged in 2023 as a pro-Palestinian hacktivist group judged to be responsible for several cyberattacks during the ongoing war in Iran and is also allegedly operated by Iran’s Ministry of Intelligence and Security.

“Aside from their claimed allegiance with Iranian state causes, very little information was available on Ababil of Minab at the time they claimed the attack,” Sayers continued in an email. “This is not uncharacteristic for emerging Iranian hacktivist collectives, especially with reference to any ties directly to state or state sanctioned activities.”

The ministry was sanctioned in 2022 for what then-Secretary of State Antony Blinken and the U.S. Department of the Treasury’s Office of Foreign Assets Control described as “malign cyber activities,” which included cyberattacks against critical infrastructure. Israel’s top cyberdefense official recently warned that Iran’s hackers are coordinating with each other more closely, too.

Experts said the hacks in Los Angeles and elsewhere represent something of an escalation in Iran’s efforts to wreak havoc in cyberspace. Ensar Seker, chief information security officer at threat intelligence platform SOCRadar, said it shows the nation’s “growing willingness to combine espionage, disruption, and psychological impact in a single campaign.”

“Transportation systems are particularly attractive targets because even limited operational disruption can generate immediate public visibility, media attention, and pressure on local governments,” Seker continued in an email. “In this case, the theft of hundreds of gigabytes of internal data alongside network disruption suggests the attackers were not simply conducting intelligence collection, but also positioning themselves for coercive influence and operational impact.”

Seker warned that organizations that are being targeted need to be hyper-vigilant, especially as it shows that regional conflicts can “increasingly spill” into civilian digital infrastructure that is often far away from the immediate conflict zone.

“Organizations should also pay attention to the data exposure aspect of this incident,” Seker said. “The theft of backups, emails, and internal documentation can create long-term downstream risks including follow-on phishing campaigns, extortion attempts, infrastructure mapping, and targeting of employees or contractors. Many organizations still treat operational disruption and data theft as separate problems, but modern state-aligned actors increasingly combine both into multi-stage campaigns.”

NEXT STORY: State leaders renew call for cyber grant program’s renewal

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.