Iranian intelligence (MOIS) behind LA Metro hack disguised as 'Ababil of Minab' hacktivists - hundreds of terabytes wiped
Israeli firm Gambit Security has forensically linked the late-March attack on the Los Angeles County Metropolitan Transportation Authority to Iran's Ministry of Intelligence and Security (MOIS), despite the attackers branding themselves as the pro-Iran hacktivist collective 'Ababil of Minab.' The group posted videos claiming it wiped hundreds of terabytes and stole over a terabyte of files. LA Metro confirmed the breach on April 2, 2026, and had to check hundreds of servers for compromise before bringing them back online. The case illustrates a recurring pattern of state operations wearing a hacktivist costume to provide deniability while targeting critical infrastructure.
- Check
- Critical-infrastructure and transit operators: treat 'hacktivist' claims of destructive attacks as possible state-operation cover. Hunt for wiper precursors and bulk-deletion activity. Validate offline backup integrity.
- Affected
- US critical infrastructure, especially transit authorities. Iran's MOIS uses fake-hacktivist fronts (here, Ababil of Minab) to claim destructive attacks while preserving deniability.
- Fix
- Maintain tested offline backups resilient to wipers. Segment OT/IT networks. Monitor for mass-deletion and destructive commands. Coordinate with CISA and ISACs on Iranian APT indicators.