Last month, L.A. Metro powered down sections of its network after hacking activity was discovered. The Metro is still working to restore systems even weeks later, as the Los Angeles Times reports the Metro must review “about 1,400 servers individually to ensure they are secure before restoring access and bringing systems back online.” New intelligence from Dataminr suggests a pro-Iranian actor is responsible. 

According to the intelligence, threat actor Ababil of Minab claims to be behind the cyberattack, allegedly possessing administrative access to: 

• Virtualization infrastructure
• Web servers
• An operational rail yard management system

Additionally, the threat actor claims to have destroyed 500 TB of data and exfiltrated 1 TB of sensitive information. These claims have not yet been independently verified. 

Who is Ababil of Minab? The intelligence report discovered the group is “an emerging pro-Iranian hacktivist group with a limited public profile and little verifiable prior activity in threat intelligence reporting,” which makes it difficult at this time to determine capability or intent. Nevertheless, “their explicit pro-Iran messaging and targeting of a major US public transit authority is broadly consistent with Iranian-aligned actors’ known pattern of targeting US critical infrastructure” and the group’s use of escalatory language might suggest further activity. 

This is not the only cyber incident Los Angeles has experienced in recent weeks. In March, the LAPD was hacked, exposing sensitive records.