In March, hackers associated with Iran accessed the control display of Los Angeles Metro's rail yard, according to a report by an Israeli company.

      Iranian hackers were responsible for the cyber-attack that took parts of the Los Angeles County Metropolitan Transportation Authority (LACMTA) offline in March, according to research released on Tuesday by Gambit Security, a cybersecurity firm based in Tel Aviv. They claim to have traced 700 gigabytes of stolen emails, backups, and other data back to a server associated with a previously identified Iranian campaign. The firm reported discovering the data after it was accidentally left unprotected on a publicly accessible server. Analysts at Gambit followed configuration fingerprints back to an operation that both Israeli officials and independent researchers have linked to Tehran.

      The finding indicates that while no specific Iranian government entity was directly involved in executing the commands, the infrastructure utilized in the LACMTA breach is part of a recognized Iranian framework. The intrusion persisted for several days in March before LACMTA’s security team identified unauthorized activity and disconnected segments of its network, although bus and light-rail services continued to operate.

      A group named Ababil of Minab claimed responsibility in early April by sharing Telegram screenshots that allegedly demonstrated access to virtualization infrastructure, web servers, and, more alarmingly, a rail yard management and train control display known internally as Division 11. The group claimed to have erased 500 terabytes of data and exfiltrated an additional terabyte. LACMTA confirmed that the attackers had partial access but did not verify the amounts claimed.

      Ababil of Minab derived its name from the bombing of a girls’ school in the Iranian city of Minab. Researchers from the US and Israel have characterized the group as a self-styled vigilante that often acts as a proxy for Iranian state actors, possessing a limited public history and rhetoric aligning with Tehran’s narratives. The attribution by Gambit bridges some gaps in this narrative: a hacktivist group taking responsibility on one side and a known Iranian server holding the stolen data on the other.

      The attack on Los Angeles reflects a wider trend, as pro-Iranian entities have notably increased their intrusions into US critical infrastructure over the past year. Documented breaches have included municipal water-treatment facilities, gas-station tank gauge systems, and now, public transit. The Foundation for Defense of Democracies noted in a paper from May 20 that vulnerabilities in industrial control systems and weak authentication across local government infrastructure in the US have made these attacks significantly easier than they would have been ten years ago.

      However, the evidence so far suggests that Iranian campaigns of this nature have not yet demonstrated the capability to disrupt physical services at the train control or grid control levels. Although the LACMTA breach accessed a real-time rail yard display, it did not, to current knowledge, manipulate it. Most activities attributed to pro-Iran groups in this area have resulted in data theft and public shaming through screenshots rather than outright sabotage. The boundary between these outcomes is partially maintained by effective operational technology segmentation and political constraints. Security researchers have argued throughout 2026 that both of these defenses are weaker than they ought to be.

      LACMTA declined to comment on Gambit's findings on Tuesday, stating in April that its forensic review was still in progress. The FBI and the Cybersecurity and Infrastructure Security Agency have not publicly assigned responsibility for the attack.