Full Report
CISA, the FBI, the NSA, the Department of Energy, and other US government partners are warning that hackers are targeting internet-exposed automatic tank gauge (ATG) systems used to monitor fuel and liquid storage tanks across various critical infrastructure sectors. [...]
Analysis Summary
# Incident Report: Compromise of Internet-Exposed Automatic Tank Gauge (ATG) Systems
## Executive Summary
Multiple US government agencies have identified ongoing malicious activity targeting internet-exposed Automatic Tank Gauge (ATG) systems across critical infrastructure sectors. Threat actors are exploiting vulnerabilities and weak authentication to gain unauthorized access, allowing them to modify system settings, pump controls, and alarm thresholds. While no physical damage has been confirmed to date, the activity poses a significant risk to the Energy, Transportation, and Chemical sectors by potentially masking leaks or causing equipment failure.
## Incident Details
- **Discovery Date:** Approximately May 2026 (via intelligence reporting)
- **Incident Date:** Ongoing (noted through June 2026)
- **Affected Organization:** Various (multiple gas stations and critical infrastructure facilities)
- **Sector:** Energy, Chemical, Food and Agriculture, Transportation Systems
- **Geography:** United States (Multiple states)
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing/Continuous
- **Vector:** Exploitation of internet-exposed Industrial Control System (ICS) interfaces.
- **Details:** Attackers identify ATGs accessible via the public internet, leveraging weak/default passwords or unpatched vulnerabilities.
### Lateral Movement
- **Details:** Specific lateral movement from ATG systems to broader corporate networks has not been explicitly detailed in the public advisory, though the risk of pivoting remains high once initial access is achieved.
### Data Exfiltration/Impact
- **Details:** Attackers have modified system settings, including product identifiers, tank volumes, and pump controls. There is evidence of display readings being manipulated and alerts being disabled to prevent operators from monitoring fuel levels accurately.
### Detection & Response
- **How it was discovered:** Government monitoring and intelligence reporting (CNN reported Iranian attribution internally in May 2026).
- **Response actions taken:** CISA, FBI, NSA, and DOE issued a joint Cybersecurity Advisory (CSA) providing mitigation steps and urging the disconnection of these systems from the public internet.
## Attack Methodology
- **Initial Access:** Exploitation of authentication bypass flaws, hardcoded credentials, and SQL injection in internet-exposed interfaces.
- **Persistence:** Not explicitly detailed; likely maintained via modified system credentials or persistent remote access vulnerabilities.
- **Privilege Escalation:** Exploitation of privilege-escalation weaknesses within the ATG software.
- **Defense Evasion:** Limited forensic evidence left behind; disabling of alerts and alarms to hide activities.
- **Credential Access:** Use of default or weak passwords; exploitation of hardcoded credentials.
- **Discovery:** Remote scanning for internet-exposed ATG ports/services.
- **Lateral Movement:** Potential for pivoting from the ATG to other industrial control systems or connected networks.
- **Collection:** Gathering of tank level data, temperature, and leak status.
- **Exfiltration:** Not the primary goal; focus is on command execution.
- **Impact:** Manipulation of tank volume readings, pump control, and disabling leak detection alerts.
## Impact Assessment
- **Financial:** Potential for significant loss if fuel leaks go undetected or if equipment is damaged via improper pump control.
- **Data Breach:** Compromise of operational data and system configuration settings.
- **Operational:** Disruption of fuel monitoring; risk of environmental hazards due to disabled leak detection.
- **Reputational:** Public concern regarding the security of fuel supply chains and critical infrastructure safety.
## Indicators of Compromise
- **Network indicators:** Connections to ATG management ports (e.g., TCP 10001) from unauthorized or foreign IP addresses [Defanged: hxxp[://]unauthorized-atg-access].
- **File indicators:** Not disclosed in brief; likely involve unauthorized configuration file changes.
- **Behavioral indicators:** Unauthorized modification of tank labels, volume settings, or alarm suppression logs.
## Response Actions
- **Containment measures:** Immediate removal of ATG systems from the public-facing internet.
- **Eradication steps:** Resetting all credentials, implementing MFA, and applying security patches for SQLi and command execution flaws.
- **Recovery actions:** Restoring system settings to known-good configurations and verifying sensor accuracy.
## Lessons Learned
- **Key takeaways:** Critical infrastructure components should never be directly internet-facing without a VPN or robust access controls.
- **What could have been done better:** Earlier identification of internet-exposed legacy systems and enforcement of strong password policies across distributed geographic locations (e.g., individual gas stations).
## Recommendations
- **Network Security:** Place ATG systems behind a firewall and access them only via a secure VPN.
- **Identity Management:** Replace default manufacturer passwords immediately upon installation; implement Multifactor Authentication (MFA).
- **Vulnerability Management:** Regularly update ATG firmware to patch known SQL injection and command execution vulnerabilities.
- **Monitoring:** Enable and regularly review ATG audit logs for unauthorized configuration changes.