Gambit Security's Threat Intelligence team has confirmed a fast-moving, destructive cyber campaign targeting organizations across the United States, Israel, Saudi Arabia, and Turkey. The operation, publicly claimed by a pro-Iranian persona called "Ababil of Minab," combined data theft with the wholesale destruction of IT systems, virtualization platforms, storage volumes, and backups. Forensic analysis ties the activity to Iran's Ministry of Intelligence and Security (MOIS).
What Happened
Public reporting of the campaign began in late March and early April 2026 after "Ababil of Minab" claimed responsibility for compromising the Los Angeles County Metropolitan Transportation Authority (LACMTA / LA Metro), exfiltrating data, and wiping systems. Gambit's deeper investigation revealed the operation extends well beyond that single claim, with additional undisclosed victims identified in Israel and Turkey. The technical artifacts and infrastructure match activity that the Israel National Cyber Directorate (INCD) has publicly attributed to MOIS, indicating Ababil of Minab is a state-aligned front rather than an independent hacktivist crew.
What Was Taken
Across affected organizations, the attackers exfiltrated data using bespoke custom tooling recovered by Gambit's analysts. The stolen material included internal business data from transportation, government, and private-sector entities across four countries. Following exfiltration, the operators executed destructive actions targeting application state, transactional databases, virtual machine inventories, and the backup archives intended to support recovery. In multiple cases, the public leak of stolen data appears to be secondary to the operational disruption caused by the wipe.
Why It Matters
This campaign represents a significant escalation in Iran-linked destructive operations against Western and regional adversaries. By layering data theft with multi-tier destruction, the operators maximize both reputational damage and operational downtime. Wiping backup copies and metadata removes the last line of defense against full recovery, transforming what might be a containable intrusion into an existential business event. The use of a hacktivist persona to mask state activity also complicates attribution and political response.
The Attack Technique
The operators combined automated scripted destruction with hands-on-keyboard execution. Observed techniques included scripted deletion of virtual machines and storage volumes, manual removal of database instances, and the targeted purging of backup copies and their associated metadata. The modular, layered approach allowed the attackers to break platform-level recovery paths, destroy transactional histories, and eliminate restore points in a coordinated sequence. Recovery requires parallel rebuilding of virtual environments, restoration from surviving offline copies or transaction logs, and full application integrity validation.
What Organizations Should Do
- Maintain immutable, offline, and air-gapped backups that cannot be reached or deleted from production credentials.
- Enforce strict separation between backup infrastructure identity systems and primary Active Directory or virtualization management planes.
- Implement multi-factor authentication and just-in-time privileged access on hypervisors, storage arrays, and backup consoles.
- Monitor for bulk VM, snapshot, and storage volume deletion events with automated alerting and rate limits.
- Conduct tabletop exercises that assume backup destruction, validating recovery time objectives against worst-case wiper scenarios.
- Hunt for indicators tied to MOIS-linked infrastructure published by INCD and partner intelligence agencies.
Sources: Iran-Linked Hackers Wipe IT Systems and Backups in Middle East Cyberattack