HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Iran‑Backed MOIS Hack Destroys LA Transit Data and Exfiltrates Records

Iranian intelligence‑linked hackers breached the Los Angeles County Metropolitan Transportation Authority, stole operational data and wiped critical databases and backups, highlighting supply‑chain risk for public‑infrastructure vendors.

LiveThreat™ Intelligence · 📅 May 28, 2026· 📰 therecord.media
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
therecord.media

Iranian MOIS‑Backed Hack Destroys LA Transit Data and Exfiltrates Records

What Happened — Iranian state‑linked group “Ababil of Minab” breached the Los Angeles County Metropolitan Transportation Authority (LACMTA) in March, exfiltrated operational data and deliberately wiped databases, virtual machines and backup volumes. The campaign also targeted organizations in Israel, Turkey, Saudi Arabia and the media sector.

Why It Matters for TPRM

  • State‑sponsored actors can compromise critical public‑infrastructure vendors, creating supply‑chain risk for downstream services.
  • Destructive “wiper” techniques erase backups, undermining business‑continuity assumptions.
  • Attribution to a foreign intelligence service raises geopolitical risk for any organization that relies on the transit authority’s APIs or data feeds.

Who Is Affected — Public transportation agencies, municipal IT service providers, SaaS platforms that integrate transit data, and any downstream partners that depend on LACMTA systems.

Recommended Actions

  • Review contracts and security clauses with LACMTA and any third‑party providers that ingest its data.
  • Verify that backup and recovery processes are isolated from primary production environments.
  • Conduct threat‑intel monitoring for MOIS‑linked tooling and indicators of compromise (IOCs).
  • Update incident‑response playbooks to include destructive “wiper” techniques.

Technical Notes — Attack leveraged custom exfiltration tools, automated scripts to delete storage volumes, and manual “hands‑on‑keyboard” commands to destroy virtualization layers. No specific CVE was cited; the vector appears to be a combination of credential compromise and malware deployment. Source: The Record

📰 Original Source
https://therecord.media/iranian-intelligence-behind-hack-of-la-transit-system

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

Data exposure is where consent and DSAR readiness get tested.

When personal data leaks, regulators ask what consent you held and how fast you can answer a subject request. The Verisq AI Trust Operations platform, with CookiePLUS, keeps that posture audit-ready under GDPR and CCPA.

Explore the Verisq AI Trust Operations platform →