ctipilot.ch

Iran MOIS attributed to LACMTA destructive breach via 'Ababil of Minab' hacktivist front — 700 GB exfiltrated, VMs and backups deliberately destroyed

actor · item:ababil-of-minab-mois-attribution-lacmta-march-2026-700gb-backups-destroyed

Coverage timeline
1
first 2026-05-28 → last 2026-05-28
Briefs
1
1 distinct
Sources cited
3
3 hosts
Sections touched
1
active_threats
Co-occurring entities
1
see Related entities below

Story timeline

  1. 2026-05-28CTI Daily Brief — 2026-05-28
    active_threatsFirst coverage. Gambit Security technical report 2026-05-26 attributes Ababil of Minab persona to Iran MOIS (Black Shadow infrastructure overlap, INCD-named cluster). LACMTA March 2026 breach: ~700 GB exfil + parallel destruction of VMs and backup infrastructure (T1485 extended to hypervisor / backup APIs). Pattern lesson for EU transit / OT-IT estates.

Where this entity is cited

  • active_threats1

Source distribution

  • gambit.security1 (33%)
  • techcrunch.com1 (33%)
  • therecord.media1 (33%)

Related entities

All cited sources (3)

Items in briefs about Iran MOIS attributed to LACMTA destructive breach via 'Ababil of Minab' hacktivist front — 700 GB exfiltrated, VMs and backups deliberately destroyed (1)

Iran MOIS attributed to LACMTA destructive breach via "Ababil of Minab" hacktivist front — 700 GB exfiltrated, backups and VMs deliberately destroyed

From CTI Daily Brief — 2026-05-28 · published 2026-05-28 · view item permalink →

Gambit Security (Israeli threat-intelligence firm) published a technical report on 2026-05-26 attributing the March 2026 breach of Los Angeles County Metropolitan Transportation Authority (LACMTA / LA Metro) to an Iran-MOIS-linked cluster operating under the hacktivist persona Ababil of Minab (Gambit Security, 2026-05-26; TechCrunch, 2026-05-26; The Record, 2026-05-27). The persona surfaced in late March / early April 2026 claiming to be a standalone hacktivist crew; Gambit's forensic evidence ties the cluster's infrastructure and techniques to the MOIS-attributed Black Shadow group, a designation the Israel National Cyber Directorate (INCD) has previously applied. The campaign exfiltrated a large volume of emails, backups and other files from LACMTA, then deliberately targeted the recovery layer: virtual machines and storage volumes were deleted, backup infrastructure was destroyed, and multiple destructive techniques were applied in parallel to force concurrent remediation pathways and maximise downtime. LA Metro required weeks to recover. The campaign also touched named and unnamed organisations in Israel, Saudi Arabia and Turkey.

Defender takeaway: the destruction-of-recovery TTP is the signal here, not the persona. Operators are now explicitly designing kill chains in which the backup and hypervisor planes are first-class targets — T1485 Data Destruction extended to VM-lifecycle and backup-job APIs rather than file-level deletion. Swiss public-transport operators (SBB, PostBus, cantonal networks) and EU equivalents running large hypervisor estates with shared admin trust into backup orchestration should treat the recovery plane as part of the protected estate, not an out-of-band restore mechanism: separate identity boundary, MFA on backup-job execution, and a tested air-gapped restore path that does not depend on the same identity provider as the production estate. Hunt: hypervisor-level mass VM lifecycle events (power-off-all, delete-all) outside change-window; backup-job cancellation or backup-system event-log purge by unexpected service accounts.