[CDP-development] Iranian Cyber Threat Actor Claims Cyberattack on 2 US Entities

[Galusha, Kevin]

Happy Monday!

I wanted to share some recent threat intel with you all.

Kevin Galusha, CISSP
Cybersecurity Architect
Clackamas County Technology Services
(503)723-4960
KGalusha at clackamas.us<mailto:KGalusha at clackamas.us>
www.clackamas.us<http://www.clackamas.us/>




The following advisory is UNCLASSIFIED//FOR OFFICIAL USE ONLY:

(U) The attached Commonwealth Fusion Center (CFC) Massachusetts Cybersecurity Program (MCP) Cyber Intelligence Brief is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.

(U//FOUO) As part of the ongoing conflict with Iran, open-sources are reporting that Iranian state-sponsored cyberoperations are still active and is targeting US critical infrastructure. According to open-source reporting and active threat intelligence, Pro-Iranian threat actor Ababil of Minab has claimed responsibility for cyberattacks against Los Angeles County Metro Transit Authority (LACMTA) and GPS Services provider VYNCS.

(U//FOUO) The Iranian Advanced Persistent Threat (ATP) group has been identified through posts on their Telegram Channel and a Clearnet Website. The name is a combination of two locations in Iran. Minab is a city in Iran that was highlighted during missile strikes on February 28. A girls’ elementary school in Minab was struck by a missile and resulted in the death of 180 children. Ababil is a drone (HESA Ababil-3) that is stationed on an airstrip in Minab. Ababil is mentioned in the Quran as a miraculous bird that dropped stones on their enemies. The City of Minab is located on the Strait of Hormuz.

(U//FOUO) According to Dataminr, Ababil of Minab claimed to have attacked LA County Metro IT systems including administrative access to VMware vCenter Server environment. Open-source reporting stated this cyber-attack required LA Metro Transit to take down internal systems which caused delays to patrons adding funds to their metro cards. Message boards showing departure and arrival times for trains and buses were not operational.

(U) The attached Cyber Intelligence Brief contains additional details, recommendations, and references.

The information contained in these products are marked UNCLASSIFIED//FOR OFFICIAL USE ONLY (U//FOUO) and U//FOUO/REL TO USA, FVEY. It contains information that may be exempt from public release under the Freedom of Information Act (5 U.S.C. 552). It is to be controlled, stored, handled, transmitted, distributed, and disposed of in accordance with DHS policy relating to FOUO information and is not to be released to the public, the media, or other personnel who do not have a valid need to know without prior approval of an authorized DHS official.

UNCLASSIFIED//FOR OFFICIAL USE ONLY





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260420/aa49e4f0/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CFC MCP Brief.pdf
Type: application/pdf
Size: 403115 bytes
Desc: CFC MCP Brief.pdf
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260420/aa49e4f0/attachment-0001.pdf>