Pro-Iranian Threat Actor Claims Responsibility for Cyber Attack on Los Angeles County Metropolitan Transportation Authority

File photo

LOS ANGELES –– A pro-Iranian threat actor called Ababil of Minab claims responsibility for a recent cyberattack on the Los Angeles County Metropolitan Transportation Authority (LACMTA).

The publication Industrial Cyber reported this week that the group Ababil of Minab, a pro-Iranian threat actor, has claimed responsibility for a recent cyber attack on the Los Angeles County Metropolitan Transportation Authority (LACMTA), specifically involving “[alleged] access to critical systems, including virtualization infrastructure, web servers, and an operational rail yard management system.”

According to Industrial Cyber, the firm Dataminr, which researched the incident, said “’what can be cautiously observed from available evidence is that their explicit pro-Iran messaging and targeting of a major US public transit authority is broadly consistent with Iranian-aligned actors’ known pattern of targeting US critical infrastructure. The group’s escalatory language (‘our forthcoming actions will exact sterner pain’) may indicate further activity, though this should be treated as unverified rhetoric until corroborated by additional intelligence.”’

Image courtesy of LACMTA

In addition to the IC report, the incident has been reported by the Los Angeles Times and independently verified by Railway Track and Structures.

The Times reported that LACMTA detected hacking activity in March then shut down parts of its system. The newspaper also reported that LACMTA said “’On Monday, March 16, Metro proactively limited employee access to many internal administrative computer systems after the agency’s security team discovered unauthorized activity. Throughout this time Metro’s essential rail and bus service has continued to run uninterrupted, as have our vital transit safety and security systems.’”

Fernando Dutra, a Metro board member, said LACMTA had gone through a “painstaking process” to restore access and, according to Times reporting in early April, the work to restore the systems was not yet complete; part of this work is reviewing 1,400 servers to make sure they are secure.

Industrial Cyber also reported that “The most operationally sensitive system visible in the published evidence appears to be a rail yard management and train control display system, showing real-time rail car positions, track occupancy, car availability, and out-of-service counts for one of LACMTA’s division yards. This represents an operational technology environment, where unauthorized access could carry significant safety implications and may trigger critical infrastructure reporting requirements to agencies, the Cybersecurity and Infrastructure Security Agency (CISA), and the Transportation Security Administration (TSA).”

Railway Track and Structures will continue to follow and report on this story as events warrant.