Multiple automatic tank gauge (ATG) systems monitoring fuel storage levels across the United States have been breached by hackers suspected of being tied to Iran, according to CNN reporting cited by The Jerusalem Post. The targeted devices were exposed to the public internet and lacked password protection, allowing intruders to manipulate display readings on fuel tanks. No physical damage or injuries have been reported, but officials warn the access could be used to suppress leak detection.
What Happened
Hackers accessed several internet-exposed ATG systems used to monitor fuel levels in storage tanks at US sites. The devices were online without authentication, giving attackers the ability to alter the values shown on tank displays. While the actual fuel levels inside the tanks were not modified and no physical harm was caused, officials and private experts cited by CNN cautioned that an attacker with this level of access could potentially disable or mask the detection of a gas leak. Sources stressed that the intruders left minimal forensic evidence, preventing a definitive attribution, but Iran is considered the prime suspect given a documented history of targeting this exact class of equipment.
What Was Taken
No data exfiltration has been reported in this incident. The activity centered on operational interference rather than theft: attackers gained the ability to alter ATG display readings, which could mislead operators about tank status. The compromise is significant not for what was stolen but for the manipulation capability obtained over safety-relevant industrial telemetry, including the theoretical ability to suppress leak alerts that protect personnel, property, and the environment.
Why It Matters
ATG systems sit at the intersection of safety and operations in fuel distribution, and Iran-linked actors have repeatedly singled them out as targets. The IRGC was identified in 2021 internal documents as having flagged ATGs for cyber operations, and a 2015 honeypot study confirmed pro-Iran groups actively scanning for exposed gauges. Since the October 7 attacks, IRGC-affiliated groups have struck US water utilities, oil and gas operators, and even disrupted shipping at medical device maker Stryker. The pattern suggests a sustained campaign to demonstrate reach into US critical infrastructure where operator security hygiene remains weak. A spoofed leak indicator, or a suppressed real one, could escalate from a nuisance defacement into a genuine safety event.
The Attack Technique
The intrusion path required little sophistication. The affected ATG devices were directly reachable from the internet and had no password protection, meaning attackers needed only to locate the exposed services and connect. This mirrors the long-running pattern of Iranian operations against US infrastructure: opportunistic targeting of exposed operational technology with default or absent credentials, rather than novel exploitation. The same tradecraft underpinned earlier IRGC-affiliated intrusions into US water systems, where attackers defaced HMI panels controlling water pressure equipment with anti-Israel messaging. The Handala Hack Team, an Iran-linked group most recently tied to the leak of FBI Director Kash Patel's personal Gmail, has been part of the broader ecosystem of actors operating in this space, though it is known to overstate the scope of its breaches.
What Organizations Should Do
- Inventory all ATG and fuel-monitoring devices and remove them from direct internet exposure; place them behind a VPN or jump host with strict ACLs.
- Enforce authentication on every gauge, controller, and management interface; eliminate default and blank passwords and rotate any shared credentials.
- Segment ATGs and related OT from corporate IT and from each other, so a single exposed device cannot pivot into safety or control systems.
- Monitor for unauthorized configuration or display-value changes on ATGs and alert on out-of-band modifications to leak-detection thresholds.
- Subscribe to CISA advisories on Iranian-aligned activity targeting US oil, gas, and water sectors, and apply the specific hardening guidance issued for Unitronics, Veeder-Root, and similar gauge product lines.
- Conduct tabletop exercises that assume an attacker has suppressed leak alarms, validating that physical inspection routines and secondary monitoring would still catch a real release.
Sources: Hackers breach US gas monitoring systems, officials suspect Iranian involvement | The Jerusalem Post