A pro-Iranian hacking group that claimed the March breach of Los Angeles Metro is likely not the independent hacktivist operation it claims to be, according to new research from Gambit Security.
Gambit says forensic evidence ties the group, known as Ababil of Minab, to infrastructure and activity associated with a previous Iran-linked campaign, including activity publicly attributed by Israel’s National Cyber Directorate to Iran’s Ministry of Intelligence and Security.
“Our investigation found that Ababil of Minab is unlikely to be a new, standalone hacktivist crew as they claim,” Gambit said in its report. “Forensic evidence ties the current operation to infrastructure and activity associated with a previous Iran-linked campaign, including activity publicly attributed by the Israel National Cyber Directorate to Iran’s Ministry of Intelligence and Security.”
Ababil claims blur hacktivism and state-linked activity
The group’s name appears to reference a reported strike on a girls’ school in Minab, Iran, which Iranian officials say killed more than 175 children and teachers. Reuters noted it had not independently verified those casualty figures.
Meanwhile, Ababil’s public messaging fits a familiar pattern: a self-described hacktivist persona claiming retaliation while researchers and government agencies look for state-linked infrastructure behind the scenes.
Gambit’s director of threat intelligence, Eyal Sela, said that a connection between Ababil and the Iranian state “has been a working assumption” in the security community. “What our research adds is the forensic evidence to support it,” he said.
LA Metro breach raised operational technology concerns
The most visible victim was the Los Angeles County Metropolitan Transportation Authority, or LACMTA, which detected unauthorized activity in March and limited employee access to internal administrative computer systems while it worked with law enforcement and cybersecurity specialists.
Metro said essential rail and bus service continued to run uninterrupted, but the restrictions affected some customer-facing systems, including arrival screens and some TAP card reload options. Metro has not publicly confirmed Ababil’s claims about the volume of data stolen or destroyed.
Gambit said it recovered at least 700GB of emails, backups and other LACMTA files from an exposed server tied to the attackers. Ababil has gone further, claiming on Telegram that it wiped 500TB of data and exfiltrated another terabyte. Those figures remain attacker claims and have not been confirmed by LACMTA.
The more serious question, Gambit points out, is what systems were impacted.
Screenshots published by Ababil purport to show administrative access to LACMTA’s VMware vCenter environment, managing roughly 1,421 virtual machines across 28 physical hosts, along with IIS web servers and a real-time rail yard management and train control display known as Division 11, according to Dataminr.
If accurate, that would push the incident beyond a conventional IT compromise and into operational technology territory, with potential safety implications beyond a data breach. But the claims remain unverified.
Screenshots and data claims remain unverified
Dataminr also noted that every screenshot the group published carried an “Activate Windows” watermark. That does not disprove the access claims, but it suggests the images may have been captured through attacker-controlled infrastructure, a jump box or another intermediary system rather than directly from a native LACMTA workstation.
Iranian-linked hacking personas have a history of using public claims and dramatic screenshots to amplify their impact. LACMTA has confirmed unauthorized activity and system restrictions, but it has not validated Ababil’s most expansive claims.
Ababil has also claimed attacks affecting South Florida’s Tri-Rail commuter system, vehicle-tracking company Vyncs and Saudi infrastructure firm Unimac. Reuters reported that Tri-Rail confirmed it had been hacked and said none of the affected data was critical. Vyncs owner Agnik said it detected a breach April 2 but declined to describe the stolen data. Unimac has not responded to requests for comment.
Gambit said it also identified unnamed media, educational and insurance organizations in Israel and Turkey through data the attackers left exposed online.
Ababil attacks targeted recovery systems
The campaign does not look like ordinary ransomware. Gambit said the attackers showed little interest in encrypting data for payment. Instead, they focused on disruption: taking databases offline, deleting data, targeting virtual machines, interfering with GPS tracking tools and going after backup infrastructure.
In one incident, Gambit said the actor used SQL Server Management Studio to take databases offline, drop active connections and then delete database objects.
The pattern is more destructive than extortionate. The attackers went after the recovery layer — virtualization, storage and backups — making it harder for victims to restore systems cleanly. Gambit’s case study centers on IT and recovery infrastructure, not attacks on embedded industrial devices or appliances.
Gambit said it also recovered custom exfiltration tooling and matched backend infrastructure to earlier Black Shadow operations, a campaign Israeli officials and researchers have tied to Iran’s Ministry of Intelligence and Security.
US agencies warn of Iran-linked critical infrastructure attacks
The Ababil campaign is separate from another wave of Iran-affiliated activity U.S. agencies warned about in April, but the timing and targets put it in the same broader risk picture.
On April 7, the FBI, CISA, NSA, Environmental Protection Agency, Department of Energy and U.S. Cyber Command’s Cyber National Mission Force warned that Iran-affiliated APT actors were targeting internet-facing operational technology devices (PDF), including Rockwell Automation/Allen-Bradley programmable logic controllers.
The agencies said that since at least March, Iranian-affiliated actors had disrupted PLCs across multiple U.S. critical infrastructure sectors, including government services and facilities, water and wastewater systems, and energy. The advisory said the activity included manipulation of data on human-machine interface and SCADA displays, causing operational disruption and financial loss.
Handala and Ababil follow a similar public-claim playbook
Other recent activity has followed a similar public-claim model. The Iran-linked group Handala claimed responsibility for a March cyberattack on medical device maker Stryker, saying it wiped more than 200,000 devices. Stryker confirmed a cyberattack disrupted order processing, manufacturing and shipping, but it has not confirmed Handala’s device count or the full scope of the claimed data destruction.
The lesson for defenders is not to take every public claim at face value, researchers say. It is to pay attention to where the attackers are aiming: backups, virtual machines and admin tools — the systems organizations need most when they are trying to recover.
Recovery infrastructure is now part of the attack surface
The practical warning from the Ababil campaign is not that every claim should be accepted at face value. It is that destructive actors are increasingly targeting the systems organizations need most after an intrusion.
That makes recovery infrastructure part of the attack surface. For critical infrastructure operators, the lesson is blunt: backups, virtual machines, administrative consoles and identity systems are not secondary assets. They may be the first things attackers try to break when the goal is disruption, not ransom.
Shaun Nichols is an IT news journalist. He has spent nearly 20 years covering the industry with a specialty in the cybersecurity
Photo by José Martín Ramírez Carrasco on Unsplash
