It is being reported that Iranian hackers were responsible for a disruptive computer breach in March that forced Los Angeles’ transit system to shut down parts of its network.
More details can be found here: https://gambit.security/blog-posts/babil-of-minab-iran-mois-destruction-campaign
Commenting on this news is Ensar Seker, CISO at SOCRadar:
“This incident reflects a broader shift we are seeing in Iranian cyber operations: the growing willingness to combine espionage, disruption, and psychological impact in a single campaign. Transportation systems are particularly attractive targets because even limited operational disruption can generate immediate public visibility, media attention, and pressure on local governments. In this case, the theft of hundreds of gigabytes of internal data alongside network disruption suggests the attackers were not simply conducting intelligence collection, but also positioning themselves for coercive influence and operational impact.
What is especially concerning is the targeting profile. Public transit environments are highly interconnected ecosystems that depend on legacy infrastructure, third-party vendors, operational technology, and real-time communications systems. That creates multiple attack paths for adversaries linked to state-sponsored ecosystems such as Iran’s MOIS-affiliated actors. Even if attackers do not directly impact train operations or safety systems, disruption to scheduling, internal communications, identity systems, or maintenance platforms can still create significant operational paralysis.
Organizations should also pay attention to the data exposure aspect of this incident. The theft of backups, emails, and internal documentation can create long-term downstream risks including follow-on phishing campaigns, extortion attempts, infrastructure mapping, and targeting of employees or contractors. Many organizations still treat operational disruption and data theft as separate problems, but modern state-aligned actors increasingly combine both into multi-stage campaigns.
This attack also reinforces an important geopolitical reality: regional conflicts increasingly spill into civilian digital infrastructure outside the immediate conflict zone. Transportation, healthcare, energy, and municipal services are becoming symbolic and strategic targets for adversaries seeking asymmetric pressure without crossing traditional military thresholds.”
The ability to set up shop and conduct activities that takes weeks and months isn’t good. Thus it should be one more thing that organizations should watch out for when conducting counter surveillance.
Related
This entry was posted on May 27, 2026 at 8:21 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Iranian hackers responsible for LA transit system breach, Israeli researchers say
It is being reported that Iranian hackers were responsible for a disruptive computer breach in March that forced Los Angeles’ transit system to shut down parts of its network.
More details can be found here: https://gambit.security/blog-posts/babil-of-minab-iran-mois-destruction-campaign
Commenting on this news is Ensar Seker, CISO at SOCRadar:
“This incident reflects a broader shift we are seeing in Iranian cyber operations: the growing willingness to combine espionage, disruption, and psychological impact in a single campaign. Transportation systems are particularly attractive targets because even limited operational disruption can generate immediate public visibility, media attention, and pressure on local governments. In this case, the theft of hundreds of gigabytes of internal data alongside network disruption suggests the attackers were not simply conducting intelligence collection, but also positioning themselves for coercive influence and operational impact.
What is especially concerning is the targeting profile. Public transit environments are highly interconnected ecosystems that depend on legacy infrastructure, third-party vendors, operational technology, and real-time communications systems. That creates multiple attack paths for adversaries linked to state-sponsored ecosystems such as Iran’s MOIS-affiliated actors. Even if attackers do not directly impact train operations or safety systems, disruption to scheduling, internal communications, identity systems, or maintenance platforms can still create significant operational paralysis.
Organizations should also pay attention to the data exposure aspect of this incident. The theft of backups, emails, and internal documentation can create long-term downstream risks including follow-on phishing campaigns, extortion attempts, infrastructure mapping, and targeting of employees or contractors. Many organizations still treat operational disruption and data theft as separate problems, but modern state-aligned actors increasingly combine both into multi-stage campaigns.
This attack also reinforces an important geopolitical reality: regional conflicts increasingly spill into civilian digital infrastructure outside the immediate conflict zone. Transportation, healthcare, energy, and municipal services are becoming symbolic and strategic targets for adversaries seeking asymmetric pressure without crossing traditional military thresholds.”
The ability to set up shop and conduct activities that takes weeks and months isn’t good. Thus it should be one more thing that organizations should watch out for when conducting counter surveillance.
Share this:
Like this:
Related
This entry was posted on May 27, 2026 at 8:21 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.