LA Metro Hack Was Part of an Iranian Campaign
Israeli cybersecurity firm Gambit Security attributes the March 2025 LA Metro payment disruption to Iranian state hackers posing as hacktivists.
A March 2025 cyberattack that crippled the payment network for Los Angeles public transit was the work of Iranian state-sponsored hackers, according to a new report from Israeli cybersecurity firm Gambit Security. The attack, which disrupted the LA Metro's mobile contactless payment system, was initially claimed by a group calling itself "Ababil of Minab" under the guise of hacktivism. However, Gambit's investigation reveals the group is a front for Iran's Ministry of Intelligence and Security, linked to the well-known threat actor MuddyWater (also tracked as Black Shadow and Static Kitten).
The attackers employed a combination of automation, hands-on-keyboard activity, and AI assistance to penetrate LA Metro's IT, application, virtualization, and backup infrastructure. Gambit found that the hackers deleted virtual machines and used backup software to wipe disks, forcing the transit agency to warn riders that they could not load funds onto the TAP mobile app. The breach also resulted in the theft of at least 700 gigabytes of emails and backups, compounding the operational disruption.
Based on proof-of-attack videos published by Ababil of Minab, Gambit determined that the group either ran a destructive script or escalated privileges to a legitimate administrator account and manually deleted resources through management consoles. The attackers also used ChatGPT to refine a Python script designed to enumerate and drop databases across the Vyncs environment, a vehicle tracking company that was also targeted. "Modern intrusion operators are moving from initial access straight into the recovery layer, virtualization, backups, storage volumes, to maximize destruction and deny remediation," said Nir Varon, cyberthreat researcher at Gambit.
The LA Metro incident was not an isolated event. The same group claimed responsibility for wiping SQL databases at South Florida's Tri-Rail commuter transit system, deleting volumes at Saudi Arabian civil construction company UNIMAC, and running destructive scripts at Vyncs. In each case, backups were also deleted, indicating a deliberate strategy to maximize damage and hinder recovery. After the LA Metro attack, board member Fernando Dutra told the Los Angeles Times that the agency had to individually check 1,400 servers before bringing systems back online.
MuddyWater has a long history of politically motivated cyberattacks, including a 2021 breach of Israeli web hosting company Cyberserve that leaked data from an LGBTQ app and medical records of 290,000 patients. The group also targeted an Israeli insurance company with ransomware in 2020. Iranian state hackers have increasingly used the pretense of hacktivism to obscure their operations, most recently through a group called "Handala," which penetrated medical device manufacturer Stryker and used Microsoft Intune to remotely wipe devices and servers.
The attribution of the LA Metro hack to Iranian state actors underscores the growing sophistication of Tehran's cyber operations and their willingness to target critical infrastructure. The use of AI tools like ChatGPT to refine attack scripts also highlights a troubling trend: as artificial intelligence capabilities become more accessible, even less skilled actors can execute highly destructive campaigns. The incident serves as a stark reminder that hacktivist claims should be scrutinized, as they may mask state-sponsored attacks aimed at disrupting essential services and sowing chaos.