HomeIntelligenceBrief
BREACH BRIEF🔴 Critical Breach

Iran‑Linked Ababil of Minab Wipes Terabytes from LA Metro and Other Transit Systems in State‑Sponsored Attack

In March 2026, the Iranian‑affiliated group Ababil of Minab breached LA Metro’s virtual infrastructure, erased hundreds of terabytes of data and stole over a terabyte of files. The campaign also hit South Florida’s transit authority, a Saudi maintenance firm, and GPS‑tracking service Vyncs, highlighting a new supply‑chain threat to transportation‑related vendors.

LiveThreat™ Intelligence · 📅 May 28, 2026· 📰 securityaffairs.com
🔴
Severity
Critical
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
securityaffairs.com

State‑Backed Iranian Group Ababil of Minab Wipes Terabytes from LA Metro and Other Transit Systems

What Happened – In March 2026 the Iranian‑linked “Ababil of Minab” group infiltrated the Los Angeles County Metropolitan Transportation Authority (LA Metro), deleted hundreds of terabytes of data and exfiltrated over a terabyte of files. The same destructive campaign hit South Florida’s Regional Transportation Authority, Saudi‑based maintenance firm UNIMAC, and GPS‑tracking provider Vyncs.

Why It Matters for TPRM

  • State‑sponsored actors are targeting critical public‑transport infrastructure, raising supply‑chain risk for any third‑party services that host or manage transit data.
  • The attack leveraged stolen administrative credentials to gain privileged access to virtual‑infrastructure management consoles, demonstrating the danger of weak IAM controls.
  • Data destruction and theft can lead to regulatory penalties, loss of public trust, and prolonged service disruption for downstream partners.

Who Is Affected – Public‑transport operators, cloud‑hosting providers for transit systems, SaaS GPS‑tracking services, and any vendors integrated with transportation‑management platforms.

Recommended Actions

  • Verify that all transit‑related vendors enforce MFA, least‑privilege access, and regular credential rotation.
  • Conduct a forensic review of any virtual‑infrastructure (vCenter, hypervisors) used by your vendors for signs of unauthorized access or deletion.
  • Update incident‑response playbooks to include destructive‑action detection (e.g., bulk VM power‑off/delete events).

Technical Notes – The adversary used two modes: (1) scripted automation that iterated over an inventory of VMs and issued Power Off → Delete‑From‑Disk commands via compromised vCenter credentials; (2) manual “point‑and‑click” deletions inside Windows Disk Management. At Vyncs, a custom Python script dropped every user database on 58 SQL Server instances before deleting OS files. No public CVE was cited; the vector was credential compromise and abuse of legitimate admin tools. Source: SecurityAffairs

📰 Original Source
https://securityaffairs.com/192764/hacktivism/the-la-metro-attack-wasnt-hacktivism-it-was-a-state-operation-with-a-costume-on.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →