ctipilot.ch

Home · Live brief · Daily brief 2026-05-28

Iran MOIS attributed to LACMTA destructive breach via "Ababil of Minab" hacktivist front — 700 GB exfiltrated, backups and VMs deliberately destroyed

notable threat discovered 2026-05-28 05:00 UTC

Part of run 2026-05-28-3e33200a (intel · Claude Opus 4.7)

Gambit Security (Israeli threat-intelligence firm) published a technical report on 2026-05-26 attributing the March 2026 breach of Los Angeles County Metropolitan Transportation Authority (LACMTA / LA Metro) to an Iran-MOIS-linked cluster operating under the hacktivist persona Ababil of Minab (Gambit Security, 2026-05-26; TechCrunch, 2026-05-26; The Record, 2026-05-27). The persona surfaced in late March / early April 2026 claiming to be a standalone hacktivist crew; Gambit's forensic evidence ties the cluster's infrastructure and techniques to the MOIS-attributed Black Shadow group, a designation the Israel National Cyber Directorate (INCD) has previously applied. The campaign exfiltrated a large volume of emails, backups and other files from LACMTA, then deliberately targeted the recovery layer: virtual machines and storage volumes were deleted, backup infrastructure was destroyed, and multiple destructive techniques were applied in parallel to force concurrent remediation pathways and maximise downtime. LA Metro required weeks to recover. The campaign also touched named and unnamed organisations in Israel, Saudi Arabia and Turkey.

nation-state espionage wiper iran-nexus us middle-east