SYS::ONLINE
Wasteland.
Briefs779
Issues14
SinceFeb 2026
LIVE
▣ Breach IRAN-LINKED-MIDDLE 2026-06-02

Middle East Organizations: Iran-Linked MOIS Wiper Campaign

"Gambit Security's Threat Intelligence team has confirmed a destructive cyber campaign by Iran-linked operators targeting organizations across the United States, Israel, Saudi Arabia, and Turkey. The activity, publicly…"

Gambit Security's Threat Intelligence team has confirmed a destructive cyber campaign by Iran-linked operators targeting organizations across the United States, Israel, Saudi Arabia, and Turkey. The activity, publicly claimed by a pro-Iranian persona calling itself "Ababil of Minab," has been forensically tied to Iran's Ministry of Intelligence and Security (MOIS). Confirmed victims include the Los Angeles County Metropolitan Transportation Authority (LACMTA), with additional undisclosed victims identified across Israel and Turkey.

What Happened

Public reporting of the campaign began in late March and early April 2026 when "Ababil of Minab" claimed responsibility for compromising LA Metro, exfiltrating data, and wiping internal systems. Gambit's deeper investigation revealed the operation extends well beyond the persona's public claims, with bespoke exfiltration tooling and infrastructure overlap matching activity that the Israel National Cyber Directorate (INCD) has publicly attributed to MOIS. This indicates Ababil of Minab is not an independent hacktivist crew but a front for a state-aligned intelligence operation. Across victims, operators combined data theft with layered, destructive actions targeting IT systems, applications, virtualization platforms, storage volumes, and backup repositories.

What Was Taken

The attackers exfiltrated victim data prior to executing destructive payloads, consistent with double-extortion and influence-operation playbooks. While the full inventory of stolen data has not been disclosed, exfiltration targeted organizational records held within enterprise applications, databases, and virtualized workloads. In the LACMTA case, the threat actor publicly claimed data theft alongside system destruction. Gambit recovered bespoke exfiltration tooling used across the campaign, indicating systematic harvesting rather than opportunistic grabs. Additional victims in Israel and Turkey had data exfiltrated quietly, without public extortion or leak posts.

Why It Matters

This campaign signals a return to high-impact, state-aligned destructive operations against critical infrastructure and enterprise targets in the Middle East and US. The layered destruction pattern, deleting virtual machines, removing storage volumes, wiping databases, and destroying backup copies, is engineered to maximize recovery time and cost. Wiping backups or their metadata removes the last line of defense against full restoration, forcing victims into parallel rebuild paths across virtualization, application, and data layers. The use of a hacktivist front to mask MOIS attribution also complicates response, attribution, and any potential geopolitical reaction.

The Attack Technique

Operators used a modular, multi-stage approach blending automation with hands-on-keyboard activity. After gaining access and establishing persistence, they deployed bespoke exfiltration tooling to siphon data. Destructive actions then proceeded across layers: scripted deletion of virtual machines and snapshots broke platform-level recovery, manual operator-driven removal of database instances destroyed application state and transactional histories, and targeted removal of backup copies and backup metadata eliminated restore paths. Infrastructure and tooling artifacts overlap with prior MOIS-attributed clusters tracked by INCD, providing the forensic basis for attribution.

What Organizations Should Do

  1. Isolate backup infrastructure with strict identity boundaries, immutable storage, and out-of-band copies that cannot be deleted by compromised admin credentials.
  2. Audit virtualization platform permissions, hypervisor APIs, and snapshot management to detect mass-deletion behavior and enforce MFA on all destructive operations.
  3. Hunt for indicators tied to prior MOIS-attributed campaigns published by INCD and apply detections for the bespoke exfiltration tooling referenced by Gambit.
  4. Implement and rehearse parallel-recovery runbooks that assume simultaneous loss of VMs, databases, and primary backups.
  5. Monitor for anomalous large-scale data egress, particularly from database and file-server segments, and enforce egress controls on sensitive zones.
  6. Pre-position incident response retainers and legal/communications playbooks tailored to destructive, attribution-sensitive incidents.

Sources: Iran-Linked Hackers Wipe IT Systems and Backups in Middle East Cyberattack