# Iran‑linked hacker leak exposes LA Metro SCADA backups and Israeli credentials, raising critical infrastructure risk *Monday, June 15, 2026 at 10:05 PM UTC — Hamer Intelligence Services Desk* **Published**: 2026-06-15T22:05:23.317Z (3d ago) **Category**: cyber | **Region**: Global **Importance**: 8/10 **Sources**: OSINT **Permalink**: https://hamerintel.com/data/articles/7560.md **Source**: https://hamerintel.com/summaries --- **Deck**: Investigators say a staging server used by the Iranian‑linked group ‘Ababil of Minab’ was left wide open, exposing 5 GB of victim data including LA Metro industrial control backups and credentials for multiple Israeli organizations. The discovery reveals how messy, unsecured hacker infrastructure can leave sensitive transport and utility systems vulnerable on both sides of an escalating cyber confrontation. A cache of exposed files linked to an Iranian‑aligned hacking group has laid bare sensitive data from U.S. and Israeli networks, including industrial control system backups for Los Angeles’ public transit operator, in a breach that ties local services to a wider geopolitical cyber struggle. Researchers tracking the group known as “Ababil of Minab” reported that a staging server used by the hackers had been left openly accessible, revealing roughly 5 gigabytes of data from previous intrusions. Among the material were backups of Supervisory Control and Data Acquisition (SCADA) systems belonging to LA Metro, as well as credentials, configuration files, and database dumps from multiple Israeli organizations. The findings were published in a technical write‑up that did not list every victim by name but made clear that the compromised systems included critical infrastructure and sensitive corporate environments. The presence of SCADA backups is particularly notable. These systems are used to monitor and control physical processes — from train signaling and power distribution to water treatment. Backups often contain detailed network maps, device configurations, and sometimes authentication information. In the wrong hands, such data can make it significantly easier to plan follow‑on operations, simulate attacks, or identify single points of failure. The exposed credentials and configuration files tied to Israeli targets raise similar concerns about access routes into networks that matter for national security and economic life. For passengers riding LA Metro or employees at unnamed Israeli firms, the fallout is not yet a flashing red light — there is no public indication that operations have been disrupted or that physical harm has occurred. But the incident shows how quietly stolen data can sit on an attacker’s server, only to be rediscovered in ways that may or may not be under the original hacker’s control. It also drives home that the systems which keep trains moving and services running are no longer protected by obscurity; their blueprints are now targets in their own right. Strategically, the exposure underscores how cyber operations tied to geopolitical rivalries can boomerang. Groups aligned with nation‑states often rely on hastily configured infrastructure to store and process stolen data. When that infrastructure is left unsecured, it can reveal not only the victims, but also the attackers’ methods, tools, and priorities. In this case, a group associated with Iran ends up unintentionally disclosing a cross‑section of its targets that spans U.S. public transportation and Israeli institutions — a map of who it considers worth the effort. The broader pattern fits with an escalation in cyber activity on critical infrastructure in recent years. Iranian‑linked actors have been accused of probing water utilities and industrial systems in the U.S. and Israel, while Western and allied services have pushed back in both defensive and offensive ways. What makes this incident different is not sophistication, but visibility: it offers a rare, unvarnished look at the raw loot sitting inside a live operation’s toolbox. The memorable lesson is stark: when industrial control systems are connected, their vulnerabilities do not stop at the fence line of a depot or switching yard. A poorly secured backup, copied halfway around the world, can leave a city’s transit rhythms or a company’s operations exposed to adversaries who may never set foot in the country they are targeting. In the near term, key questions include how quickly LA Metro and the affected Israeli organizations can rotate credentials, harden configurations, and hunt for any sign that the exposed data has already been weaponized. Security teams and policymakers will also be looking at whether this incident prompts broader audits of SCADA backup practices, and whether governments move to more aggressively attribute and sanction groups like Ababil of Minab whose operations blur the line between criminal hacking and statecraft.