LA Metro Iranian Cyberattack: MOIS Stole 700GB, Hit Train Control Systems

A March 2026 cyberattack on the Los Angeles County Metropolitan Transportation Authority (LACMTA, also known as LA Metro — the agency that operates the Los Angeles subway and bus rapid transit network serving 10 million residents) has been attributed to operatives working for Iran's Ministry of Intelligence and Security (MOIS) by Israeli cybersecurity firm Gambit Security. The breach, which was initially claimed by a group calling itself Ababil of Minab and framed as a hacktivist operation, in fact involved the theft of at least 700 gigabytes of data including emails, backups, and internal files, as well as documented access to VMware vCenter environments, IIS web servers, and critically, a rail yard management and train control display system. Recovery from the breach took several weeks.

// 01 LA Metro Iranian Cyberattack: Technical Details

Gambit Security published its attribution report on May 27, 2026, linking the LACMTA breach to Iranian state-sponsored operations based on forensic evidence tying the infrastructure and tradecraft used in the LA Metro attack to earlier campaigns previously attributed to MOIS by the Israel National Cyber Directorate.

The attack chain, as reconstructed by Gambit Security and reported by TechCrunch and The Times of Israel, included access to:

• VMware vCenter — the management platform used to oversee virtualized server infrastructure, giving attackers visibility into and potential control over the virtual machines hosting LACMTA's operational systems
• IIS web servers — Microsoft's web server platform, likely hosting internal web applications and portals
• Rail yard management and train control display systems — operational technology (OT) infrastructure used to monitor and coordinate rail operations

The access to train control display systems is the most operationally significant element. OT systems that interface with physical infrastructure — trains, switches, signals, and maintenance systems — sit at the boundary between the cyber and physical domains. Unauthorized read access can expose operational schedules, train positions, and infrastructure configurations; write access could theoretically disrupt service or cause safety incidents.

The data theft totaled at least 700 gigabytes of emails, backup files, and internal documents. In April 2026, Ababil of Minab published materials on Telegram purporting to show their access to LACMTA's internal systems, which Gambit Security subsequently investigated and verified as genuine.

// 02 The Ababil of Minab Cover Identity

The use of a fabricated hacktivist identity to attribute state-sponsored operations to a non-state actor is a well-established Iranian intelligence tactic. Gambit Security's report identifies Ababil of Minab as a manufactured front group, consistent with the pattern of Iranian MOIS operations that have been documented using similar cover personas in other countries.

The most prominent recent example of this pattern is the group known as Handala, which the Times of Israel reported had previously executed a destructive attack on U.S. medical technology company Stryker, wiping thousands of company systems and employee devices while presenting itself as a hacktivist collective.

The practical effect of the cover identity is twofold: it provides Iran with plausible deniability ("we have no control over independent hacktivists"), and it complicates attribution in the critical early hours and days after an incident when defenders most need accurate threat actor identification to understand the scope and intent of an attack.

// 03 Who Is Affected

The LACMTA breach directly affected the LA Metro transit agency and, by extension, the riders and employees whose data was stored in the stolen files. More broadly, this incident is significant for:

• U.S. critical infrastructure operators — transit agencies, utilities, airports, and other public sector entities that are increasingly targeted by Iranian state-sponsored threat actors
• Security teams responsible for OT/ICS environments — the transit control system access in this breach is a case study in the risk of inadequate network segmentation between IT and OT domains
• State and local government security teams — LACMTA is a county agency, and the breach demonstrates that sub-federal government entities are within the targeting aperture of nation-state adversaries

The broader campaign documented by Gambit Security — which includes targets in Israel, Saudi Arabia, and Turkey using the same infrastructure and tactics — suggests this is an active Iranian intelligence collection operation rather than an isolated incident.

// 04 What You Should Do Right Now

• Assess OT/IT network segmentation: If your organization operates physical infrastructure management systems (transit, utilities, manufacturing, facilities), verify that OT networks are properly segmented from IT networks. The LACMTA breach demonstrates that attackers who gain access to IT infrastructure (VMware vCenter) can pivot to OT systems if network boundaries are not enforced.

• Review VMware vCenter access controls and audit logs: VMware vCenter is a frequently-targeted entry point for infrastructure-wide attacks. Ensure MFA is enforced, access is limited to named accounts, and audit logs are actively monitored for anomalous administrative actions.

• Monitor for Ababil of Minab TTPs: Gambit Security's attribution indicates this campaign is ongoing and targeting multiple countries. Review CISA's advisory on Iranian-Affiliated Cyber Actors targeting critical infrastructure for indicators of compromise and recommended mitigations.

• Implement data exfiltration monitoring: 700 gigabytes of data does not leave a network silently. Review DLP (Data Loss Prevention) policies and network monitoring thresholds for large outbound data transfers, particularly to cloud storage and file-sharing endpoints.

• Brief leadership on the hacktivist-as-cover tactic: When a hacktivist group claims an attack, the initial assumption should not be that attribution is straightforward. Ensure incident response leadership understands the pattern of state-sponsored actors using hacktivist front groups as a deliberate intelligence tactic.

// 05 Background: Understanding the Risk

Iran's use of cyber operations against critical infrastructure has intensified since at least 2021 and has accelerated through 2025–2026. Defense One noted in April 2026 that pro-Iran hackers have specifically increased the pace of critical infrastructure cyberattacks, targeting physical-world systems whose disruption or compromise has direct public impact.

Transit agencies are particularly attractive targets because they sit at the intersection of high public visibility and often underfunded cybersecurity. Many transit authorities have aging IT infrastructure and legacy OT systems originally designed without network connectivity, which have since been integrated with IP networks for operational efficiency — but without the security architecture that would be applied to new systems.

The use of VMware vCenter as an entry point into both IT and OT domains is not unique to this breach. vCenter's privileged position in virtualized infrastructure has made it a target in multiple nation-state campaigns, including the ALPHV ransomware group's ESXiArgs attacks and earlier Chinese APT operations against industrial targets.

// 06 Conclusion

The LA Metro breach is evidence that Iranian state-sponsored actors are actively targeting U.S. critical infrastructure with a blend of data theft, fabricated hacktivist attribution, and operational technology access. Transit and infrastructure operators should treat OT/IT segmentation, VMware access hardening, and mass data transfer monitoring as immediate security priorities.