Iranian hackers working for the country’s intelligence service were behind the March breach of the Los Angeles County Metropolitan Transportation Authority (LACMTA), according to new research from an Israeli security firm.

The hacking group claimed to be a standalone hacktivist crew but actually has ties to the Ministry of Intelligence of the Islamic Republic of Iran (MOIS), researchers at Gambit Security said in a report published Tuesday.

The hacking group called itself Ababil of Minab, after the city where more than 175 teachers and children were killed in an Iranian school. The group took credit for the LACMTA breach early on, saying it exfiltrated the transit system’s data and destroyed its infrastructure.

Gambit researchers said their findings linking Ababil of Minab to MOIS are based on forensic evidence they surfaced that ties the group to prior Iran-backed hacks, including activity Israel’s National Cyber Directorate has attributed to Iran’s intelligence service. Researchers also found custom exfiltration tooling, the report said.

“Where destruction occurred, the playbook combined multiple techniques across virtualization, storage, and backup infrastructure to deny recovery,” according to the report.

The hackers erased databases, virtual machines and “storage volumes” both automatically using scripts and by “hands-on-keyboard activity,” the report said.   

The researchers found additional victims whose data has been exfiltrated but not destroyed by the hackers, including an Israeli organization in the media sector, an Israeli university, a Turkish insurance brokerage and “several additional websites across the restaurant, culture, digital services, and news sectors,” according to the report. Organizations in Saudi Arabia also were hacked by the group, the report said.

Reuters was first to report Gambit’s findings.

The campaign is not only notable because of its attribution to MOIS, but also because of its velocity, the report said.

“Modern intrusion operators are moving from initial access straight into the recovery layer, virtualization, backups, storage volumes, to maximize destruction and deny remediation,” according to the report. “The skill required to do that at scale is collapsing in parallel.” 

“As AI capabilities become widely available, any actor, skilled or not, will be able to execute this kind of campaign.”

Ababil of Minab would not be the first MOIS-linked group to claim they are hacktivists. 

After a devastating cyberattack on medical device maker Stryker in March, a group known as Handala claimed responsibility. Handala portrays itself as an independent, pro-Palestine group of hacktivists, but experts and the Department of Justice have said the group is backed by MOIS. 

The Stryker attack crippled the company by wiping employee devices and systems belonging to the manufacturer.