CISA, the FBI, the NSA, the Department of Energy, and other US government partners are warning that hackers are targeting internet-exposed automatic tank gauge (ATG) systems used to monitor fuel and liquid storage tanks across various critical infrastructure sectors.
The cybersecurity agency says that ATG systems are commonly used in the Energy, Chemical, Food and Agriculture, and Transportation Systems sectors to remotely monitor storage tank levels, temperatures, and potential leaks.
The US government says threat actors are targeting exposed devices and modifying system settings through command execution.
“The recent malicious cyber activity observed by the authoring organizations—which the U.S. government has not yet attributed to a nation-state or threat actor group—involves cyber threat actors compromising internet-exposed ATG systems and subsequently modifying them through command execution,” the advisory states.
According to the agencies, attackers are gaining access through authentication bypass vulnerabilities, hardcoded credentials, operating system command-execution flaws, SQL injection vulnerabilities, and privilege-escalation weaknesses.
If the system is successfully compromised, the attackers can alter network settings, product identifiers, tank volumes, and pump controls. They could also turn off alerts and create conditions that prevent operators from properly monitoring tank fill levels, potentially increasing the risk of leaks or equipment failures.
The agencies urged organizations to block ATG systems from the internet, restrict remote access through firewalls, VPNs, or access control lists, replace default passwords, utilize strong credentials and multifactor authentication, apply security updates, and actively monitor systems for unauthorized changes.
Iranian hackers previously linked to similar activity
While the advisory does not attribute the activity to any specific threat actor, it follows CNN reporting in May that Iranian hackers were behind a series of breaches involving ATG systems at gas stations in multiple states.
According to CNN, the attackers exploited ATG systems that were connected to the internet and protected by weak or nonexistent passwords, allowing them to access and manipulate display readings. However, the attackers did not alter the actual fuel levels.
The incidents reportedly did not cause physical damage, but raised concerns that attackers could potentially interfere with leak detection and other safety-related functions.
CNN reported that Iran was the primary suspect because of its history of targeting fuel management systems and other industrial control technologies.
However, CNN reports that multiple sources briefed on the investigation said it may not be possible to attribute the activity to a specific attacker, as there was limited forensic evidence left behind in the attacks.
CISA and its partners said organizations operating ATG systems should review their exposure and implement recommended mitigations immediately to reduce the risk of compromise.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
