State‑Backed Iranian Group Ababil of Minab Wipes Terabytes from LA Metro and Other Transit Systems
What Happened – In March 2026 the Iranian‑linked “Ababil of Minab” group infiltrated the Los Angeles County Metropolitan Transportation Authority (LA Metro), deleted hundreds of terabytes of data and exfiltrated over a terabyte of files. The same destructive campaign hit South Florida’s Regional Transportation Authority, Saudi‑based maintenance firm UNIMAC, and GPS‑tracking provider Vyncs.
Why It Matters for TPRM –
- State‑sponsored actors are targeting critical public‑transport infrastructure, raising supply‑chain risk for any third‑party services that host or manage transit data.
- The attack leveraged stolen administrative credentials to gain privileged access to virtual‑infrastructure management consoles, demonstrating the danger of weak IAM controls.
- Data destruction and theft can lead to regulatory penalties, loss of public trust, and prolonged service disruption for downstream partners.
Who Is Affected – Public‑transport operators, cloud‑hosting providers for transit systems, SaaS GPS‑tracking services, and any vendors integrated with transportation‑management platforms.
Recommended Actions –
- Verify that all transit‑related vendors enforce MFA, least‑privilege access, and regular credential rotation.
- Conduct a forensic review of any virtual‑infrastructure (vCenter, hypervisors) used by your vendors for signs of unauthorized access or deletion.
- Update incident‑response playbooks to include destructive‑action detection (e.g., bulk VM power‑off/delete events).
Technical Notes – The adversary used two modes: (1) scripted automation that iterated over an inventory of VMs and issued Power Off → Delete‑From‑Disk commands via compromised vCenter credentials; (2) manual “point‑and‑click” deletions inside Windows Disk Management. At Vyncs, a custom Python script dropped every user database on 58 SQL Server instances before deleting OS files. No public CVE was cited; the vector was credential compromise and abuse of legitimate admin tools. Source: SecurityAffairs