{ "id": "725ead91-57f4-4af6-a76d-78c18205f47a", "created_at": "2026-04-17T02:21:06.265251Z", "updated_at": "2026-04-18T02:21:24.86359Z", "deleted_at": null, "sha1_hash": "91ffa15c02bcd1a48bfc558af421c0203b6fd772", "title": "Cyber Intel Brief: Pro-Iran Actor Claims Cyberattack on LA Metro", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 515473, "plain_text": "Cyber Intel Brief: Pro-Iran Actor Claims Cyberattack on LA\r\nMetro\r\nBy Author Tim Miller, Field CTO for Public Sector April 13, 2026\r\nArchived: 2026-04-17 02:01:19 UTC\r\nCybersecurity, Public sector, Artificial Intelligence\r\nKey Takeaways\r\nOT System Access Claimed: Screenshots published by the group appear to show access to a real-time rail\r\nyard management and train control display system (Division 11), representing a potentially serious\r\noperational technology (OT) intrusion with safety implications beyond a standard IT breach.\r\nBroad IT Compromise Alleged: The group claims administrative access to LACMTA’s VMware vCenter\r\nenvironment — managing approximately 1,421 VMs across 28 physical hosts — as well as IIS web servers\r\nhosting dozens of internal and public-facing LACMTA properties.\r\nSignificant Data Impact Claimed: The group alleges 500 TB of data was wiped and 1 TB of sensitive\r\nuser data was exfiltrated, though these claims have not been independently verified.\r\nEscalatory Rhetoric: Ababil of Minab has stated this incident is “only the beginning,” explicitly\r\nthreatening further, more severe actions against LACMTA or related targets.\r\nIncident Overview\r\nOn April 9, 2026, the pro-Iranian hacking group Ababil of Minab claimed responsibility for a cyberattack\r\ntargeting the Los Angeles County Metropolitan Transportation Authority (LACMTA). The group published claims\r\nvia their Telegram channel (t[.]me/ababilofminab/7) and their threat actor website (ababilofminab[.]io/metro-net-is-hacked/), including a video and multiple screenshots purporting to demonstrate access to live LACMTA internal\r\nsystems. The group’s website displays explicitly pro-Iranian messaging. LACMTA has not publicly confirmed or\r\ndenied the breach at time of writing.\r\nA note on screenshot credibility: All published screenshots contain an “Activate Windows” watermark in the\r\nbottom-right corner of the display. This watermark appears on Windows installations that have not been activated\r\nwith a valid license. In a properly managed enterprise environment — such as a large public agency like\r\nLACMTA — endpoints are typically activated automatically and silently through volume licensing via a Key\r\nManagement Service (KMS) server, meaning legitimate LACMTA workstations would not display this watermark\r\nunder normal circumstances. Its presence across all screenshots suggests they were likely captured from an\r\nattacker-controlled virtual machine, a pivot host, or a jump server rather than from a native LACMTA endpoint.\r\nWhile this does not invalidate the access claims — attackers routinely use unactivated VMs as operational\r\ninfrastructure to remotely view and interact with compromised systems — it is a meaningful forensic indicator\r\nthat should inform any verification effort by LACMTA’s internal security team.\r\nhttps://www.dataminr.com/resources/intel-brief/pro-iran-actor-ababil-of-minab-claims-cyberattack-on-la-metro/\r\nPage 1 of 6\n\nDataminr Alert\r\nDataminr alert regarding the attack enhanced with a Live Brief summary\r\nTechnical Details\r\nThree distinct system categories appear represented in the group’s published evidence:\r\n1. VMware vCenter Server Administrative access to LACMTA’s core virtualization management platform,\r\nencompassing approximately 1,421 virtual machines, 28 physical hosts, ~430 GHz CPU, 7.79 TB RAM, and 45\r\nTB active storage. Active system alarms were visible, indicating the environment was live at the time of capture.\r\nhttps://www.dataminr.com/resources/intel-brief/pro-iran-actor-ababil-of-minab-claims-cyberattack-on-la-metro/\r\nPage 2 of 6\n\nCompromise at this level could enable mass VM disruption, ransomware deployment, or persistent backdoor\r\ninstallation across LACMTA’s server estate.\r\nSample of a screenshot from Ababil of Minab after targeting LA Metro. Source: Dataminr\r\nSample of a screenshot shared from Ababil of Minab after targeting LA Metro. Source: Dataminr\r\n2. Microsoft IIS Web Server Administrator-level access to an IIS instance hosting numerous internal and public-facing web properties including boardclerk.metro.net, sso.metro.net, registration.metro.net, and jobs.metro.net.\r\nThis access level could enable web defacement, credential interception via the SSO portal, and lateral movement\r\ninto backend application infrastructure.\r\nhttps://www.dataminr.com/resources/intel-brief/pro-iran-actor-ababil-of-minab-claims-cyberattack-on-la-metro/\r\nPage 3 of 6\n\nSample of a screenshot shared from Ababil of Minab after targeting LA Metro. Source: Dataminr\r\n3. Rail Yard Management / Train Control Display System The most operationally sensitive system visible in\r\npublished evidence. The system appears to display real-time rail car positions, track occupancy, car availability,\r\nand out-of-service counts for one of LACMTA’s division yards. This is an Operational Technology (OT) system.\r\nUnauthorized access to OT systems of this nature carries potential safety implications and may be subject to TSA\r\nand CISA critical infrastructure reporting requirements.\r\nSample of a screenshot shared from Ababil of Minab after targeting LA Metro. Source: Dataminr\r\nThreat Actor \u0026 Motivation\r\nhttps://www.dataminr.com/resources/intel-brief/pro-iran-actor-ababil-of-minab-claims-cyberattack-on-la-metro/\r\nPage 4 of 6\n\nAbabil of Minab‘s own description of their mission and motivation. Source: Dataminr\r\nAbabil of Minab is an emerging pro-Iranian hacktivist group with a limited public profile and little verifiable prior\r\nactivity in threat intelligence reporting — making any definitive capability or intent assessment premature at this\r\nstage. Despite this low prior visibility, Dataminr’s real-time monitoring surfaced the group’s claims at the point of\r\ninitial publication, providing early warning ahead of traditional intelligence channels. \r\nhttps://www.dataminr.com/resources/intel-brief/pro-iran-actor-ababil-of-minab-claims-cyberattack-on-la-metro/\r\nPage 5 of 6\n\nWhat can be cautiously observed from available evidence is that their explicit pro-Iran messaging and targeting of\r\na major US public transit authority is broadly consistent with Iranian-aligned actors’ known pattern of targeting\r\nUS critical infrastructure. The group’s escalatory language (“our forthcoming actions will exact sterner pain”) may\r\nindicate further activity, though this should be treated as unverified rhetoric until corroborated by additional\r\nintelligence.\r\nImmediate Actions \u0026 Recommendations\r\nIsolate and Audit vCenter Environment: Immediately audit VMware vCenter for unauthorized admin\r\naccounts, recent configuration changes, snapshot creation, or VM deletions. Review vCenter audit logs for\r\nsessions originating from unexpected IP ranges.\r\nOT Network Segmentation — Urgent: Verify that the Division 11 rail yard management and train control\r\ndisplay systems are fully isolated from internet-facing IT networks. If any IT-to-OT pathway exists,\r\nimplement emergency segmentation controls and notify relevant operations and safety teams immediately.\r\nIIS Web Server Audit: Review IIS server logs for unauthorized file modifications, web shell uploads, or\r\nconfiguration changes. Pay particular attention to the SSO portal for evidence of credential harvesting.\r\nCredential Reset: Force password resets for all privileged accounts across vCenter, IIS administration, and\r\nany systems visible in the published screenshots. Prioritize service accounts with broad environment\r\naccess.\r\nRegulatory Notification: Assess reporting obligations to CISA, TSA Surface Division, and relevant\r\nCalifornia state authorities given the potential OT and critical infrastructure dimension of this incident.\r\nMonitor Threat Actor Channels: Continue monitoring Ababil of Minab’s Telegram channel and website\r\nfor additional published evidence, new target announcements, or escalating claims.\r\nBlock Known IOCs: Block network traffic to and from ababilofminab[.]io and monitor for DNS lookups\r\nto this domain from within the LACMTA environment.\r\nSource: https://www.dataminr.com/resources/intel-brief/pro-iran-actor-ababil-of-minab-claims-cyberattack-on-la-metro/\r\nhttps://www.dataminr.com/resources/intel-brief/pro-iran-actor-ababil-of-minab-claims-cyberattack-on-la-metro/\r\nPage 6 of 6\n\nThree distinct 1. VMware system categories vCenter Server appear represented Administrative access in the group’s to LACMTA’s published evidence: core virtualization management platform,\nencompassing approximately 1,421 virtual machines, 28 physical hosts, ~430 GHz CPU, 7.79 TB RAM, and 45\nTB active storage. Active system alarms were visible, indicating the environment was live at the time of capture.\n Page 2 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://www.dataminr.com/resources/intel-brief/pro-iran-actor-ababil-of-minab-claims-cyberattack-on-la-metro/" ], "report_names": [ "pro-iran-actor-ababil-of-minab-claims-cyberattack-on-la-metro" ], "threat_actors": [ { "id": "ab93df0a-80ca-47c5-8314-10f35d4e343b", "created_at": "2026-04-17T02:00:03.799883Z", "updated_at": "2026-04-18T02:00:04.269308Z", "deleted_at": null, "main_name": "Ababil of Minab", "aliases": [], "source_name": "MISPGALAXY:Ababil of Minab", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1776392466, "ts_updated_at": 1776478884, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/91ffa15c02bcd1a48bfc558af421c0203b6fd772.pdf", "text": "https://archive.orkl.eu/91ffa15c02bcd1a48bfc558af421c0203b6fd772.txt", "img": "https://archive.orkl.eu/91ffa15c02bcd1a48bfc558af421c0203b6fd772.jpg" } }