Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo
Dive Brief

Iranian government, not hacktivist group, breached LA Metro system, security firm says

A report by Israel-based Gambit Security dismisses the hackers’ claims of being patriotic but unaffiliated activists.

Published May 26, 2026
Eric Geller's headshot
Senior Reporter
An Iranian flag flutters in front of a building with many windows
The flag of Iran is seen in front of the building of the International Atomic Energy Agency (IAEA) headquarters on May 24, 2021, in Vienna, Austria. Michael Gruber via Getty Images

Dive Brief:

  • Iranian government-linked hackers sabotaged the computer infrastructure of Los Angeles’s transit system by using access to a virtual machine to delete critical operating-system data, the Israeli cybersecurity firm Gambit Security said in a report published on Tuesday.
  • The same threat actor also conducted data-wiping attacks on the South Florida Regional Transportation Authority, the connected-vehicle technology firm Agnik and a Saudi Arabian construction company that handles critical infrastructure projects, according to the report.
  • Gambit dismissed the hackers’ claims of being a new pro-Iranian hacktivist gang, instead attributing their operations to Black Shadow, a group that the Israeli government and private security firms have linked to Iran’s Ministry of Intelligence and Security.

Dive Insight:

The U.S.-Israeli war against Iran has emboldened Tehran’s hackers to pursue cyberattacks against critical infrastructure in the U.S. and other Western countries, leading to a series of breaches at infrastructure operators. That has included water and energy utilities, as federal agencies previously warned, but also transportation systems such as those in Los Angeles and southern Florida.

At Agnik, the Iran-linked hackers used Python scripts to delete operating-system folders, databases and backup files for the company’s Vyncs car GPS tracker service. Agnik shut down the service and worked with the FBI to investigate the intrusion, the company said in a summary of the April 2 attack. Agnik downplayed the hackers’ damage, saying, “Other than some small amount of data for [a] short period of time, we did not permanently lose any significant amount of data.”

The hackers used ChatGPT to improve their Python scripts, according to Gambit’s analysis of a video that the group released. “We assume the actor asked for help filtering out SQL Server system databases from the enumeration so that DROP DATABASE would target only user databases,” the security firm said.

By accessing the hackers’ staging infrastructure, Gambit was able to identify additional victims, including an Israeli media company, an Israeli university and a Turkish insurance firm. The hackers stole data from these organizations but did not wipe any of their servers, Gambit said.

Filed Under: Breaches, Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
360 Privacy Expands Senior Leadership as Threats to Executives and High-Profile Individuals Gr…
From 360 Privacy
May 21, 2026
360 Privacy logo

Want to share a company announcement with your peers?

Get started

Editors' picks
Latest in Breaches
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell