Emerging ThreatsMalware & Ransomware

US Gas Station Tank Gauge Systems Vulnerable to Ongoing Attacks

Analyst 207||Source: BleepingComputer
Internet-exposed automatic tank gauge system at a gas station with pumps and convenience store in the background.
"The recent malicious cyber activity observed by the authoring organizations—which the U.S. government has not yet attributed to a nation-state or threat actor group—involves cyber threat actors compromising internet-exposed ATG systems and subsequently modifying them through command execution," the joint advisory warned.

Joint advisory from CISA, the FBI, the NSA, and the Department of Energy

On Tuesday, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the NSA, the Department of Energy, and other U.S. government partners issued a joint advisory urging critical infrastructure organizations to secure internet-exposed automatic tank gauge (ATG) systems. The advisory describes ongoing attacks in which threat actors compromise ATG devices and then modify them through command execution. It also warns that attackers can disable system alerts, raising the risk of undetected leaks, equipment failures, and permanent damage to tank systems.

Shadowserver scan: 1,061 hosts exposed, 909 in the United States

Internet security watchdog Shadowserver reported on 2026-06-05 that it had detected 1,061 IPs for ATG systems on port 10001/tcp after removing many apparent honeypots. Shadowserver said the vast majority—909 devices—were located in the United States. The group framed the discovery as an addition to its Accessible ICS reporting and explicitly noted the date and port: "1061 IPs seen on 2026-06-05 (on port 10001/tcp)." These counts underpin the federal advisory's urgency.

Observed techniques and vulnerabilities in ATG systems

The joint advisory lists multiple classes of flaws threat actors exploit: hardcoded credentials, authentication bypasses, SQL injection vulnerabilities, operating system command execution flaws, and privilege escalation weaknesses. After exploiting these issues, attackers have altered system settings and display readings. A separate May report referenced in the advisory described intrusions where attackers manipulated display readings after breaching devices that used weak or nonexistent passwords.

What this means for gas stations, industrial operators, and security teams

  • Gas stations and retail fuel sites: ATG systems commonly monitor pump fuel levels and automate environmental leak detection; compromised devices can mute alerts and falsify readings, increasing the chance that operators would miss leaks or equipment failures.
  • Industrial users and chemical handlers: ATGs also monitor storage tanks for chemicals and other liquids; attackers who change settings or disable alarms can interfere with inventory control and regulatory compliance functions that ATGs support.
  • Security teams and incident responders: The advisory and related reports show attackers exploiting common, well-known vulnerabilities—weak credentials and authentication flaws—underscoring the need for access controls, patching, and active monitoring to detect unauthorized changes.

CISA's mitigation recommendations and operational steps

The advisory and reporting converge on a short set of immediate actions for organizations that operate ATG devices exposed to the Internet. They are urged to:

  • Restrict remote access to ATG systems from the Internet and implement controlled access through firewalls, virtual private networks, or access control lists.
  • Replace default passwords with strong credentials and apply security updates to vulnerable devices.
  • Monitor systems for unauthorized changes and implement multi-factor authentication where possible.

Those recommendations echo the sequence of exploitation described in the advisory—if attackers gain entry via weak or default credentials or by exploiting known software flaws, restricting exposure and enforcing stronger authentication directly reduce the likely attack surface.

Context from recent reporting and related advisories

CISA's warning follows a May CNN report that Iranian hackers had breached ATG systems connected to the Internet at multiple U.S. gas stations; that report linked Iranian groups to the incidents based on past targeting of fuel management and industrial control technologies. The U.S. agencies that authored the joint advisory, however, stated they have not attributed the recent malicious activity to any nation-state or named threat actor group. In April, another joint federal advisory linked Iranian state-backed hackers to attacks on Rockwell Automation/Allen-Bradley PLC devices since March 2026, which had caused financial losses and operational disruptions. Separately, cybersecurity firm Censys reported that 74.6% (3,891 hosts) of exposed industrial control systems found online globally were located in the United States.

The immediate record is stark: more than 1,000 ATG systems visible on the public Internet, hundreds of them in the United States, and federal partners warning that attackers are actively modifying devices in ways that can disable safety alerts. The practical response the advisory prescribes—remove Internet exposure, harden credentials, patch, and monitor—remains straightforward even as attribution questions persist.

Original story

CisaCritical InfrastructureEmerging ThreatsFbiIndustrial Control SystemsNation-StateOperational TechnologySupply ChainUs GovernmentNSADepartment Of EnergyAutomatic Tank Gauge
Related Intelligence

Continue Reading

Law enforcement officials stand near a podium with symbolic objects, including a laptop and papers, in a brightly-lit…

FBI dismantles $1.9B China cybercrime network

In a major breakthrough, the FBI, with the help of Google and Lumen Technologies, has dismantled a massive $1.9 billion China-based cybercrime network that impersonated trusted brands to scam hundreds of thousands of victims. This coordinated takedown, part of Operation Riptide, seized key infrastructure and domains used by the group.

Analyst 207
University campus scene with students walking near a building, laptop on a bench.

ShinyHunters Exploits Oracle Flaw to Breach Universities

A zero-day flaw in Oracle PeopleSoft PeopleTools, known as CVE-2026-35273, has been exploited by ShinyHunters, potentially infiltrating over 100 organizations, with universities being the hardest hit. This vulnerability allows attackers to execute remote code and take over affected servers, posing a significant threat to higher education institutions.

Analyst 207
Defendant sits in federal court with blurred face, hands visible, in front of judge's bench and US flag.

Conti Ransomware Member Pleads Guilty to Cybercrimes

A longtime member of the notorious Conti ransomware group has pleaded guilty to cybercrimes in federal court, marking a major win for justice after the defendant's attacks caused millions of dollars in damage to people and businesses worldwide. Oleksii Oleksiyovych Lytvynenko, a 44-year-old Ukrainian national, admitted to developing malware and participating in Conti's ransomware campaign.

Analyst 207
Federal officials stand near a large screen in a government briefing room.

Authorities Disrupt Massive Deepfake Porn Site in Global Operation

In a major global crackdown, authorities have shut down a notorious deepfake porn site that was profiting from the humiliation, exploitation, and violation of personal privacy of thousands of women, including celebrities and public figures. The site's massive collection of AI-altered images and videos has been seized, putting an end to its large-scale trafficking of digital forgeries.

Analyst 207