May 26 (Reuters) – Iranian hackers were responsible for a disruptive computer breach in March that forced Los Angeles’ transit system to shut down parts of its network, Israeli researchers say.
The saboteurs stole at least 700 gigabytes of emails, backups, and other files from the Los Angeles County Metropolitan Transportation Authority (LACMTA), according to Gambit Security, a Tel Aviv-based cybersecurity firm that said it discovered the misappropriated data after it was inadvertently exposed online.
In a report published on Tuesday, the company said a digital trail of evidence tied the server where the data was discovered to a previously known hacking operation that Israeli officials and researchers attributed to Tehran.
Iran’s mission to the United Nations did not return messages seeking comment. Israel’s National Cyber Directorate did not return messages.
The Los Angeles transit authority didn’t respond to questions about the findings. In a statement shared last month, its officials said they were working with law enforcement and cyber specialists as they brought their systems back online. “Attribution is part of the investigation and we will not speculate,” the statement said.
Digital security specialists have suspected an Iranian hand in the operation against the LACMTA ever since responsibility was claimed by an obscure pro-Iran outfit calling itself Ababil of Minab. The group’s name refers to the bombing of a girls’ school in the Iranian city of Minab that officials there say killed more than 175 children and teachers, and its rhetoric and modus operandi are characteristic of self-styled vigilante hacker groups that U.S. and Israeli researchers allege are cut-outs for Iranian spies.
Eyal Sela, Gambit’s director of threat intelligence, said a connection between Ababil and the Iranian state “has been a working assumption.”
“What our research adds is the forensic evidence to support it,” he said.
Gambit, a security startup founded in part by veterans of Unit 8200, Israel’s equivalent of the U.S. National Security Agency, said it had alerted relevant authorities to its findings.
Ababil did not return messages left via a form on its website. The FBI said it was aware of the LACMTA incident and was “coordinating with partners in response.” The FBI declined further comment. The U.S. civilian cyber defense body, the Cybersecurity and Infrastructure Security Agency, did not return messages seeking comment.
IRANIAN HACKERS ALLEGEDLY ACTIVE SINCE START OF WAR
The intrusion at LACMTA was detected around March 16, its officials said in their statement. About two weeks later, Ababil materialized online and claimed to have wiped an enormous amount of data in a destructive cyberattack, publishing a video that purported to show them rampaging through the transit system’s network.
Although Los Angeles transit officials said the breach did not interrupt circulation of trains or buses, local media said it disabled at least some arrival screens and prevented customers from putting money on their transit cards.
Ababil also has claimed credit for hacks affecting South Florida’s Tri-Rail commuter transit system, vehicle tracking company Vyncs, and Saudi infrastructure firm Unimac.
In a statement, Tri-Rail confirmed it had been hacked “about a month ago,” but said that none of the affected data was critical. Vyncs owner Agnik said it had detected its breach on April 2 but declined to comment on the nature of the data stolen by the hackers. Both Tri-Rail and Agnik said the FBI was involved, with Agnik saying in an email that the bureau “has a pretty good understanding of who these criminals are.” Unimac did not return messages seeking comment.
The group behind Ababil has hacked other organizations whose identity it has not publicized, Gambit Security said, citing its analysis of other data left online by the spies. Sela said they included a media organization and educational institution in Israel and an insurance brokerage in Turkey, but he declined to identify them further.
Iranian hackers allegedly have carried out a drumbeat of digital operations since the U.S. and Israel launched a war against Iran in late February, including a damaging attack on the medical device company Stryker and the leak of personal emails belonging to FBI Director Kash Patel. Iranian hackers also are suspected of having remotely tampered with fuel gauges at gas stations, CNN reported earlier this month.
(Reporting by Raphael Satter in Washington and AJ Vicens in Detroit; Additional reporting by Jana Winter in Washington; Editing by Paul Simao)