Iranian-Back Group Behind Attacks on Transit Systems in LA, South Florida
A constant risk in modern warfare is that the conflict will spill over into the cyber world, with state-aligned threat actors running espionage, data-stealing, or destructive campaigns targeting public or private sector organizations.
It’s been part of Russia’s ongoing war against neighboring Ukraine, and now the United States and other countries are seeing Iranian-backed hackers expanding their nefarious activities in reaction to the U.S. and Israeli bombing of their country.
The growing reach of attacks was laid out in a report this week by Gambit Security, with the Israeli cybersecurity startup saying that an Iranian threat group was behind a data breach in March of Los Angeles’ transit system, as well as earlier attacks on the Tri-Rail commuter transit system in South Florida, Maryland-based vehicle-tracking company Vyncs, and Unimac, an infrastructure firm in Saudi Arabia.
A pro-Iranian group calling itself Ababil of Minab – the name referring to a bombing at the start of the war of a girls’ school in Minab, an Iranian city, that killed more than 175 children and teachers – has claimed responsibility for the hacks.
However, Gambit researchers are pointing to the Iranian government as the driver of the attacks.
Not a ‘Standalone Hacktivist Crew’
“Our investigation found that Ababil of Minab is unlikely to be a new, standalone hacktivist crew, as they claim,” Eyal Sela, director of threat intelligence at Gambit, and cyberthreat researcher Nir Varon wrote. “Forensic evidence ties the operation to infrastructure and activity associated with Black Shadow, an Iran-linked group, which was attributed by the Israel National Cyber Directorate to Iran’s Ministry of Intelligence and Security [MOIS].”
The group has said it stole at least 700 gigabytes of files – including emails and backups – and destroyed systems at the Los Angeles County Metropolitan Transportation Authority (LACMTA). The bad actors used an authenticated vCenter session to attack the agency, selecting a virtual machine and issuing two tasks, first to power off and then to delete data from the disk.
“This deletes the VM and its underlying disk files from the datastore,” they wrote.
The hackers also accessed a Windows guest VM and, through the disk management capability, found volumes of data and deleted partitions via the “Delete Volume” command.
In Through RDP
In its breach of the South Florida Regional Transportation Authority (SFRTA), the group gained access via the Remote Desktop Protocol (RDP) and through an interactive session on an IIS host, had local administrator privileges and access to IIS Manager, SQL Server Management Studio, the local file system, and an outbound FileZilla FTP client.
The Ababil group used both automated scripts as well as hands-on-keyboard tactics, with Gambit researchers writing that “each technique introduces a different recovery challenge, requiring separate remediation and restoration processes, which complicates and prolongs recovery efforts.”
Beyond the four attacks that the bad actors published, Gambit researchers found other organizations on the threat actor’s staging infrastructure that had data exfiltrated, including an Israeli media organization and an Israeli higher education institution, a Turkish insurance brokerage, and several websites in the restaurant, culture, digital services, and news sectors.
The AI Threat
That said, a larger concern coming out of the research beyond the attribution is the AI-fueled velocity of the attacks, according to Sela and Varon.
“Modern intrusion operators are moving from initial access straight into the recovery layer, virtualization, backups, storage volumes, to maximize destruction and deny remediation,” they wrote. “The skill required to do that at scale is collapsing in parallel. As AI capabilities become widely available, any actor, skilled or not, will be able to execute this kind of campaign.”
Iranian Threats Are Ramping Up
That an Iran-linked group is behind attacks against organizations in the United States and elsewhere shouldn’t come as a surprise. The pro-Iranian group Handala soon after the fighting started launched a data-wiping campaign against the U.S. medical tech firm Stryker.
In addition, several U.S. agencies – including CISA, the FBI, National Security Agency, and Department of Energy – in April warned that Iranian hackers were targeting critical infrastructure in the United States by exploiting operational technology devices, such as programmable logic controllers that are used in a range of critical infrastructure sectors.
Earlier this month, CNN reported that U.S. officials suspected that it was Iranian threat groups that breached automatic tank gauges at gas stations across the United States in operations that didn’t cause damage but raised concerns.
