"The recent malicious cyber activity observed by the authoring organizations—which the U.S. government has not yet attributed to a nation-state or threat actor group—involves cyber threat actors compromising internet-exposed ATG systems and subsequently modifying them through command execution," the advisory states.
CISA, FBI, NSA, DOE and partners describe the target: internet-exposed ATG systems
The joint advisory from CISA, the FBI, the NSA, the Department of Energy and other U.S. government partners warns that attackers are targeting automatic tank gauge (ATG) systems that are exposed to the internet. These ATG systems remotely monitor fuel and liquid storage tank levels, temperatures and potential leaks and are commonly used across the Energy, Chemical, Food and Agriculture, and Transportation Systems sectors.
Authentication bypass, hardcoded credentials, command-execution and SQL injection
The agencies say attackers have exploited a range of technical weaknesses to gain access. Enumerated techniques include authentication bypass vulnerabilities, hardcoded credentials, operating system command-execution flaws, SQL injection vulnerabilities and privilege-escalation weaknesses. Once an attacker gains access, the advisory states they can modify system settings through command execution.
What attackers can change: network settings, product identifiers, tank volumes, pump controls and alerts
According to the advisory, a successful compromise lets an attacker alter network settings, product identifiers, tank volumes and pump controls. The intruders can also turn off alerts and create conditions that prevent operators from properly monitoring tank fill levels. Those changes, the agencies warn, could increase the risk of leaks or equipment failures by degrading operators' visibility into tank status and safety functions.
CNN reporting on earlier incidents and the limits of attribution
The advisory does not attribute the activity to a specific nation-state or threat group. Separately, CNN reported in May that Iranian hackers were behind a series of breaches involving ATG systems at gas stations in multiple states. CNN said attackers exploited ATG systems that were connected to the internet and protected by weak or nonexistent passwords, allowing manipulation of display readings, although the reporters noted the attackers did not alter actual fuel levels and the incidents reportedly did not cause physical damage.
CNN also reported that Iran was the primary suspect because of a history of similar targeting, but multiple sources briefed on the investigation told CNN that it may not be possible to attribute the activity to a specific attacker due to limited forensic evidence left behind in the attacks.
Recommended mitigations and immediate steps urged by CISA and partners
- Block ATG systems from the internet and restrict remote access using firewalls, VPNs or access control lists.
- Replace default passwords, use strong credentials and enable multifactor authentication.
- Apply security updates and actively monitor systems for unauthorized changes.
The agencies urged organizations operating ATG systems to review their exposure and implement these recommended mitigations immediately to reduce the risk of compromise.
What this means for security teams, fuel retailers, and regulators
- Security teams: Prioritize scanning for internet-exposed ATG devices, check for hardcoded credentials or default passwords, and monitor for unexpected configuration changes that could indicate command execution.
- Fuel retailers and site operators: Verify that ATG devices are not directly reachable from the internet, replace default credentials, enable recommended access controls, and confirm alarms and leak-detection functions are operating as expected.
- Regulators and sector leads: Track implementation of network-segmentation and access-control mitigations across Energy, Transportation Systems, Chemical, and Food and Agriculture facilities, and consider whether guidance or compliance checks are needed to reduce exposure.
CISA and its partners have warned of a clear technical pathway for attackers and issued concrete steps to reduce risk. The agencies' advisory and the CNN reporting together show both the immediate vulnerabilities and the continuing uncertainty about who is responsible — and they leave a single operational prescription: review exposure, apply the mitigations the government has laid out, and monitor systems closely.
