US officials suspect Iranian hackers are behind a series of intrusions targeting automatic tank gauge (ATG) systems that monitor fuel storage at gas stations across multiple US states, according to multiple sources briefed on the activity. The breaches exploited internet-exposed ATGs left unprotected by passwords, in some cases allowing attackers to tamper with display readings on the tanks.
What Happened
Hackers compromised ATG systems serving gas stations in multiple states by accessing devices that were sitting online without authentication. Sources briefed on the investigation told CNN the intruders were able to manipulate gauge display readings, though they did not alter the actual fuel levels inside the tanks. No physical damage or harm has been reported. US officials suspect Iran based on Tehran's documented history of targeting fuel monitoring systems, but caution that attribution may never be definitive due to a lack of forensic evidence left behind by the attackers. CISA has been asked for comment; the FBI declined to comment.
What Was Taken
This was not a data theft operation. The activity centered on operational technology access and manipulation rather than exfiltration. Attackers gained read and write access to ATG display data at affected stations, giving them visibility into fuel inventory readings and the ability to alter what station operators see on their monitoring panels. No personally identifiable information, payment data, or corporate records were reported as compromised in this campaign.
Why It Matters
ATGs are a soft-underbelly slice of US critical infrastructure: small, embedded, often forgotten devices that nevertheless feed safety-critical decisions. A manipulated gauge reading could, in theory, allow a gas leak to go undetected, creating both an environmental and life-safety hazard. The campaign also fits a broader pattern. After Hamas attacked Israel on October 7, 2023, hackers affiliated with Iran's Islamic Revolutionary Guard Corps defaced US water utility equipment with anti-Israel messaging. With active US and Israeli military operations against Iran, Tehran-linked groups are again reaching into US homeland infrastructure that sits outside the range of conventional Iranian weapons. The political backdrop is also sensitive: 75 percent of US adults in a recent CNN poll said the Iran war had hurt their finances, much of it through elevated gas prices.
The Attack Technique
The intrusions did not require sophisticated tradecraft. ATG consoles, commonly Veeder-Root TLS-series and similar devices, expose a serial-over-TCP management interface (historically TCP/10001) that is frequently reachable from the public internet at small retail fuel sites. Many deployments ship without password protection enabled, and operators routinely leave them in that default state. Security researchers, including Trend Micro in a 2015 honeypot study, have warned for more than a decade that internet-facing ATGs are trivially discoverable through tools like Shodan and Censys. The current campaign appears to follow that same low-effort playbook: scan, identify exposed consoles, issue commands to read or alter gauge displays.
What Organizations Should Do
- Inventory all ATG consoles and confirm none are directly reachable from the public internet; place them behind a firewall or cellular gateway with strict allowlisting.
- Enable the device security code or password on every ATG console, replacing any default or blank credential, and rotate it on a defined schedule.
- Segment fuel site OT networks from corporate IT and from guest or payment networks, and block outbound traffic from ATGs except to known management destinations.
- Monitor for anomalous serial commands and display-value changes; alert on any discrepancy between gauge readings and expected inventory drawdown.
- Search external attack surface management or Shodan exports for your owned IP space on TCP/10001 and related ATG ports, and remediate any exposure found.
- Coordinate with site operators and fuel distributors to validate that physical leak detection and overfill prevention remain functional independent of the ATG display, so a manipulated readout cannot mask a real spill.