Iranian MOIS‑Backed Hack Destroys LA Transit Data and Exfiltrates Records
What Happened — Iranian state‑linked group “Ababil of Minab” breached the Los Angeles County Metropolitan Transportation Authority (LACMTA) in March, exfiltrated operational data and deliberately wiped databases, virtual machines and backup volumes. The campaign also targeted organizations in Israel, Turkey, Saudi Arabia and the media sector.
Why It Matters for TPRM —
- State‑sponsored actors can compromise critical public‑infrastructure vendors, creating supply‑chain risk for downstream services.
- Destructive “wiper” techniques erase backups, undermining business‑continuity assumptions.
- Attribution to a foreign intelligence service raises geopolitical risk for any organization that relies on the transit authority’s APIs or data feeds.
Who Is Affected — Public transportation agencies, municipal IT service providers, SaaS platforms that integrate transit data, and any downstream partners that depend on LACMTA systems.
Recommended Actions —
- Review contracts and security clauses with LACMTA and any third‑party providers that ingest its data.
- Verify that backup and recovery processes are isolated from primary production environments.
- Conduct threat‑intel monitoring for MOIS‑linked tooling and indicators of compromise (IOCs).
- Update incident‑response playbooks to include destructive “wiper” techniques.
Technical Notes — Attack leveraged custom exfiltration tools, automated scripts to delete storage volumes, and manual “hands‑on‑keyboard” commands to destroy virtualization layers. No specific CVE was cited; the vector appears to be a combination of credential compromise and malware deployment. Source: The Record