CISA warns of cyberattacks targeting fuel tank monitoring systems
CISA warns of cyberattacks targeting internet-exposed automatic tank gauge systems in critical infrastructure sectors.
Summary
CISA, FBI, NSA, and the Department of Energy issued a joint warning about threat actors actively compromising internet-exposed automatic tank gauge (ATG) systems used across Energy, Chemical, Food and Agriculture, and Transportation sectors. Attackers are exploiting authentication bypass vulnerabilities, hardcoded credentials, and command-execution flaws to modify system settings, alter tank volumes, disable alerts, and potentially interfere with leak detection. While unattributed, the activity follows CNN reporting that Iranian hackers targeted ATG systems at gas stations with weak or nonexistent password protection.
Full text
CISA warns of cyberattacks targeting fuel tank monitoring systems By Lawrence Abrams June 3, 2026 04:21 PM 0 CISA, the FBI, the NSA, the Department of Energy, and other US government partners are warning that hackers are targeting internet-exposed automatic tank gauge (ATG) systems used to monitor fuel and liquid storage tanks across various critical infrastructure sectors. The cybersecurity agency says that ATG systems are commonly used in the Energy, Chemical, Food and Agriculture, and Transportation Systems sectors to remotely monitor storage tank levels, temperatures, and potential leaks. The US government says threat actors are targeting exposed devices and modifying system settings through command execution. "The recent malicious cyber activity observed by the authoring organizations—which the U.S. government has not yet attributed to a nation-state or threat actor group—involves cyber threat actors compromising internet-exposed ATG systems and subsequently modifying them through command execution," the advisory states. According to the agencies, attackers are gaining access through authentication bypass vulnerabilities, hardcoded credentials, operating system command-execution flaws, SQL injection vulnerabilities, and privilege-escalation weaknesses. If the system is successfully compromised, the attackers can alter network settings, product identifiers, tank volumes, and pump controls. They could also turn off alerts and create conditions that prevent operators from properly monitoring tank fill levels, potentially increasing the risk of leaks or equipment failures. The agencies urged organizations to block ATG systems from the internet, restrict remote access through firewalls, VPNs, or access control lists, replace default passwords, utilize strong credentials and multifactor authentication, apply security updates, and actively monitor systems for unauthorized changes. Iranian hackers previously linked to similar activity While the advisory does not attribute the activity to any specific threat actor, it follows CNN reporting in May that Iranian hackers were behind a series of breaches involving ATG systems at gas stations in multiple states. According to CNN, the attackers exploited ATG systems that were connected to the internet and protected by weak or nonexistent passwords, allowing them to access and manipulate display readings. However, the attackers did not alter the actual fuel levels. The incidents reportedly did not cause physical damage, but raised concerns that attackers could potentially interfere with leak detection and other safety-related functions. CNN reported that Iran was the primary suspect because of its history of targeting fuel management systems and other industrial control technologies. However, CNN reports that multiple sources briefed on the investigation said it may not be possible to attribute the activity to a specific attacker, as there was limited forensic evidence left behind in the attacks. CISA and its partners said organizations operating ATG systems should review their exposure and implement recommended mitigations immediately to reduce the risk of compromise. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: Iranian hackers targeted major South Korean electronics makerFoxconn confirms cyberattack claimed by Nitrogen ransomware gangCanvas login portals hacked in mass ShinyHunters extortion campaignMuddyWater hackers use Chaos ransomware as a decoy in attacksPowerSchool hacker claims they stole data of 62 million students
Indicators of Compromise
- malware — ATG system compromise via authentication bypass and command execution