Pro-Iranian Group Claims Cyberattack on L.A. Metro, Raises Concerns About Rail Control System Exposure

What happened

A pro-Iranian threat actor calling itself Ababil of Minab claimed responsibility for a cyberattack targeting the Los Angeles County Metropolitan Transportation Authority. The group said it had gained access to multiple internal systems, including virtualization infrastructure, web servers, and a rail yard management system, and published screenshots and video through its Telegram channel and website to support the claim. It also alleged that it wiped 500 terabytes of data and exfiltrated 1 terabyte of sensitive information. The published material appeared to show access to real-time rail yard management and train control displays, along with a VMware vCenter environment and IIS web servers. At the time of reporting, LACMTA had not confirmed the breach, and the full extent of the intrusion remained unverified. 

Who is affected

The direct exposure appears to center on LACMTA and systems tied to its virtualization environment, web infrastructure, and rail yard operations. The most operationally sensitive material published by the group appeared to involve a rail yard management and train control display system showing track occupancy, rail car positions, availability, and out-of-service counts. 

Why CISOs should care

This incident matters because the claimed access goes beyond conventional IT systems and appears to reach operational technology tied to rail operations. If confirmed, compromise at the virtualization layer could create broad disruption across server infrastructure, while exposure of rail yard management and train control systems would raise more serious operational and safety concerns. The case also highlights how attacker claims involving critical infrastructure can create immediate pressure even before the full scope is verified. 

3 practical actions

1. Audit virtualization access: Review VMware vCenter environments for unauthorized administrator accounts, recent configuration changes, snapshot activity, unusual sessions, or signs of virtual machine deletion. 
2. Verify IT-OT separation: Confirm that rail yard management and train control systems are fully segmented from internet-facing IT networks, and isolate them immediately if any cross-connectivity is found. 
3. Inspect public-facing web systems: Check IIS servers and single sign-on portals for unauthorized file changes, web shell activity, configuration tampering, and signs of credential interception or lateral movement. 

For more news about disruptive intrusions affecting public systems and essential operations, click Cyberattack to read more.