NEWS
Iran-Linked Hackers Wipe Backups to Make Recovery Impossible
Iran-linked hackers who broke into the Los Angeles transit system and at least three other organizations did something most data thieves skip: they hunted the backups. Operating as a pro-Iranian persona called Ababil of Minab, the intruders deleted virtual machines, dropped whole databases and erased the backup chains victims needed to rebuild, according to a Tel Aviv threat-intelligence firm that traced the operation.
That focus on the recovery layer is what sets the campaign apart from ordinary extortion. When backups, virtualization consoles and storage are gone, a victim cannot simply restore a clean copy and move on; rebuilding stretches into weeks, and some records never come back.
The Recovery Layer Became the Target
Every ransomware crew that has ever locked up a network is betting on one thing: that the victim has no clean copy to fall back on. The operators behind this intrusion took that logic further and went after the recovery machinery itself, the backups, virtualization consoles and storage volumes that turn a catastrophic breach into a survivable one. The same pattern showed up across victims in four countries, and it was deliberate every time.
Modern intrusion operators are moving from initial access straight into the recovery layer, virtualization, backups, storage volumes.
That assessment comes from Eyal Sela, director of threat intelligence at Gambit Security, and Nir Varon, a cyber threat researcher at the firm, in Gambit’s forensic report on the recovery-layer campaign. Ransomware at least offers a transaction: pay, and a decryption key may follow. A wiper pointed at the backups offers nothing to negotiate, because once the last restore point is deleted, the data is simply gone.
How the Wipers Moved Through Each Victim
The attackers rarely needed custom malware. They signed into the same consoles administrators use every day, VMware vCenter (a virtualization management platform), Windows Disk Management, SQL Server Management Studio and the Veeam backup software, then used those tools to delete. Because the work looked like routine administration, conventional malware detection had little to flag. At LA Metro, formally the Los Angeles County Metropolitan Transportation Authority (LACMTA), an authenticated vCenter session was enough to power off a virtual machine (VM) and wipe its disk from the datastore. The persona boasted of destroying hundreds of terabytes; what investigators could confirm on the attackers’ exposed servers was at least 700 gigabytes of emails and backups.
At Vyncs, the consumer GPS-tracking service run by Maryland firm Agnik, a custom Python script named main.py walked through 58 SQL Server targets and dropped every user database, 58 of 58 with no failures, while the operator hand-deleted the daily backup files in parallel. The session ended only when the attacker erased the core Windows system folders and cut off their own remote connection. The table below maps how the crew worked through four of the named victims.
| Victim | Location and sector | What was destroyed | Recovery impact |
|---|---|---|---|
| LA Metro (LACMTA) | Los Angeles, public transit | Virtual machines deleted through vCenter; disks wiped | About 1,400 servers checked before restore, board member Fernando Dutra said; TAP fare-loading and arrival screens went down |
| Vyncs (run by Agnik) | Maryland, consumer GPS tracking | main.py dropped all 58 SQL databases; daily backups and Windows folders deleted | Service taken offline; the firm worked with the FBI and reported little permanent loss |
| UNIMAC | Saudi Arabia, maintenance and contracting | Three storage volumes formatted and replaced with a new “Minab” volume; Veeam backup chains deleted | Restore points removed from repository storage |
| SFRTA (Tri-Rail) | South Florida, commuter rail | Databases taken offline; WipeFile overwrote the web directory and its SQL backup folder | Hosted sites and backup folder overwritten |
The Hacktivist Costume Over a Ministry Operation
The persona presented itself as a scrappy band of pro-Iran activists, but the forensic trail points back to a state intelligence service. Investigators found that the group’s staging server had received stolen files from a second machine that had served a security certificate for nefeshhope[.]com, a fake mental-health support site that targeted Israeli soldiers in August 2025. Israel’s National Cyber Directorate (INCD) took that site down, and analysis shared by ClearSky Cyber Security and researcher Simon Kenin tied the infrastructure to a previously identified Iranian group.
That group, Black Shadow, is one the INCD attributes to Iran’s Ministry of Intelligence and Security (MOIS); researchers also track it as Agrius and Pink Sandstorm. It carries a long record against Israeli academia, finance and transport targets.
Dressing a state operation in activist clothing is an old Tehran habit. The same approach produced Handala, the persona behind a destructive intrusion at medical-device maker Stryker earlier this year, which U.S. prosecutors later tied to the Iranian government.
“What our research adds is the forensic evidence to support it,” said Eyal Sela, whose firm was founded in part by veterans of Unit 8200, Israel’s signals-intelligence corps. The Federal Bureau of Investigation (FBI) has said it is aware of the Los Angeles incident and is coordinating with partners; the Cybersecurity and Infrastructure Security Agency (CISA), Iran’s UN mission and the directorate did not comment on the findings.
A Chatbot in the Destruction Loop
One of the group’s own videos gave away an unexpected collaborator. As the operator refined the database-wiping script, the footage briefly showed a session with the AI chatbot ChatGPT, apparently asking it to filter out SQL Server system databases so the delete command would strike only user data. A state-aligned crew was scaffolding its destruction logic with a consumer chatbot.
To the researchers, that detail is the part worth losing sleep over. “As AI capabilities become widely available, any actor, skilled or not, will be able to execute this kind of campaign,” Nir Varon warned in the report. The skill once needed to find and erase every restore point in an unfamiliar network, at speed, is exactly the kind of task a chatbot can now help assemble.
The crew was not leaning on the chatbot alone. It also deployed a custom stealer the researchers named FileFiend, written in C++, which scanned drives and network shares and shipped files to a hardcoded command-and-control (C2) server, alongside a Flask-based receiver to catch the uploads. In a parting taunt, anyone who hit a dead page on the attackers’ server was redirected to the FBI’s own website.
The Wider Iranian Surge Since February
The campaign did not appear in a vacuum. Iranian-linked operators have escalated sharply since the United States and Israel went to war with Iran in February 2026, and Western agencies have logged a run of intrusions aimed at critical services. This wiping campaign is one strand of a much thicker rope.
- At medical-device maker Stryker, the Handala persona deployed wiper malware in March, knocking out thousands of systems and devices and forcing operational shutdowns across multiple countries.
- On April 7, six U.S. agencies issued a joint advisory on Iranian-affiliated attacks against industrial controllers, warning that the actors were exploiting internet-exposed Rockwell programmable logic controllers (PLCs) and manipulating the displays operators rely on at water and power sites.
- Iranian hackers were suspected of remotely tampering with gas-station fuel gauges in the United States.
- The same wave included the leak of personal emails belonging to FBI Director Kash Patel, claimed by an Iran-linked group.
Most of that activity aimed at disruption or embarrassment rather than permanent loss. Even the federal warnings about industrial controllers describe manipulation and, in the water sector, configuration wiping and sensor tampering at drinking-water systems. The methodical erasure of an organization’s entire ability to recover is a harder edge on the same blade.
What Backup Isolation Now Has to Survive
For defenders, the lesson is blunt: backups have become a primary target, and they have to survive an attacker who already holds administrator rights. A copy that a domain admin can reach and delete is a copy the next intruder can reach and delete too.
Resilience teams have heard for years that they should keep immutable, offline copies, and this campaign turns that advice from best practice into a survival requirement. The recommendations from the researchers, echoed by U.S. agencies responding to the broader Iranian surge, come down to a short, ordered checklist.
- Keep at least one backup copy that is immutable or fully offline and cannot be deleted with production administrator credentials.
- Separate the identity of your backup systems from the main domain, so one stolen admin account cannot open the virtualization or backup console.
- Test restores on a schedule, because a backup job that reports success is not proof you can actually rebuild.
- Pull management and operational-technology (OT) consoles off the public internet and require multifactor authentication (MFA) on remote desktop (RDP), virtualization and database access.
- Hunt logs for the published indicators of compromise and report any intrusion to the FBI’s Internet Crime Complaint Center (IC3).
Regulators are pushing the same direction. A cybersecurity alert on heightened Iranian threats told financial firms in March to expect an elevated risk of destructive and data-wiping operations, not theft alone, and to rehearse their incident response before they need it.
Another state-linked wiper is coming, and the federal advisories say as much. The organizations that have isolated their backups will treat the next one as a costly week. The ones that left a single domain-admin account able to reach every restore point will learn what the Los Angeles agency’s recovery teams already know: the backups are the part of the network a state wiper is built to destroy.
Frequently Asked Questions
Who Are the Ababil of Minab Hackers?
Ababil of Minab is a pro-Iranian online persona that surfaced in late March and early April 2026 and claimed responsibility for the Los Angeles transit breach. Its name points to a bombing at a girls’ school in the Iranian city of Minab that officials there said killed more than 175 children and teachers. Forensic analysis ties the persona to the state-linked group Black Shadow rather than an independent activist crew.
Is Black Shadow the Same Group Behind Earlier Israeli Breaches?
Yes. Researchers also track Black Shadow as Agrius and Pink Sandstorm, and the persona was used before to claim Iranian operations against Israel, including the 2020 breach of the insurance company Shirbit. Israel’s National Cyber Directorate attributes the cluster to the country’s Ministry of Intelligence and Security.
Did the Transit Attack Stop Trains or Expose Rider Data?
No. Buses and trains kept running; the damage hit internal systems, fare-loading on the TAP mobile app and station arrival screens. The agency said early in its investigation that it had not found customer or employee data affected, and while the intruders reached a rail-yard control display known internally as Division 11, there is no public evidence they manipulated it.
How Can Organizations Protect Backups From Wiper Attacks?
Keep at least one backup copy that is immutable or offline and cannot be deleted with production administrator credentials, separate backup-system identity from the main domain, and test restores instead of trusting that backup jobs succeed. U.S. agencies also urge removing management and operational-technology consoles from the public internet, enforcing multifactor authentication, and reporting intrusions to the FBI’s IC3 at ic3.gov. A final reporting rule under the Cyber Incident Reporting for Critical Infrastructure Act, expected in 2026, would add 72-hour incident reporting for critical-infrastructure operators.
AFP Charges Sydney Man Over 259 Cloud-Stored Child Abuse Images
HP Hands Global Media to Publicis, Ending Omnicom’s 17-Year Run
Jonesboro Fire Department Warns of Phone Scam Targeting Businesses
Malaysia’s MCMC Serves TikTok a Statutory Demand Over Royal AI Content
Sweden Tells Parents: No Smartphones for Children Under 13
Child Seriously Hurt at Abandoned Pub in TikTok ‘Urbex’ Trend
Australia’s Social Media Ban Misses Where the Youngest Risk Lives
Smmwiz and the 2026 SMM Panel Push: A 2.8-Star Reality Check
Samsung’s Sky Portal Lit Up Sydney Harbour. The Camera Test Says Otherwise.
Trump T1 Teardown Confirms It’s a Gold-Painted HTC U24 Pro
Andreessen Horowitz Bets $2.2B on Crypto’s Quiet Cycle
Cathie Wood Calls SpaceX IPO Demand ‘Voracious’ Ahead Of $1.75T Debut
VinRobotics’ VR-H3 Debuts at Vienna, VinFast Is Next
Apple Strikes Preliminary Deal For Intel To Make iPhone And Mac Chips
Anthropic Hits $965 Billion Valuation, Edges Past OpenAI
Ghana CSA Plants Office In Ho As Volta Cybercrime Climbs
Trump’s AI Memo Strips Vendors of Veto Power Over Military
Google’s Buried Page Reveals 500 Niche Websites Still Making Cash
Hormuud Bets $19 Down Will Finally Pull Somalia Online
The $6.3 Billion Business of Media Monitoring, Explained
-
CRYPTO1 month agoAndreessen Horowitz Bets $2.2B on Crypto’s Quiet Cycle
-
CRYPTO1 month agoCathie Wood Calls SpaceX IPO Demand ‘Voracious’ Ahead Of $1.75T Debut
-
AI1 week agoVinRobotics’ VR-H3 Debuts at Vienna, VinFast Is Next
-
NEWS1 month agoApple Strikes Preliminary Deal For Intel To Make iPhone And Mac Chips
-
AI2 weeks agoAnthropic Hits $965 Billion Valuation, Edges Past OpenAI
-
NEWS1 month agoGhana CSA Plants Office In Ho As Volta Cybercrime Climbs
-
AI1 week agoTrump’s AI Memo Strips Vendors of Veto Power Over Military
-
APPS1 month ago
Google’s Buried Page Reveals 500 Niche Websites Still Making Cash