Hackers linked to Iran may be responsible for a number of breaches of computer systems monitoring fuel at gas stations across the U.S., officials were reported to have told CNN on Friday.
Read more Michigan Lands Commitment From Son of Former Heisman Trophy Winner
The hackers had exploited unprotected automatic tank gauge (ATG) systems, the officials told the outlet, in what would be the latest instance of suspected Iranian efforts to target critical U.S. infrastructure, in this case, a resource which has been greatly impacted by the conflict between the two countries.
While officials report no physical damage or altered fuel levels so far, the breach exposes a major vulnerability—the potential for fuel leaks to go completely undetected.
Newsweek reached out to the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) for comment via email Friday afternoon.
Automatic Tank Gauges Hacked: What to Know
Officials briefed on the matter told CNN they suspected Iranian nationals were behind multiple breaches of the devices which are online but not password protected. Hackers were able, in some cases, to tamper with display readings.
Vulnerabilities with ATGs have been reported in the past.
In September 2024, Bitsight TRACE, a cyber risk intelligence platform, found multiple, critical vulnerabilities across different products from various manufacturers, with a report stating, “These vulnerabilities pose significant real-world risks, as they could be exploited by malicious actors to cause widespread damage, including physical damage, environmental hazards, and economic losses”.
In 2021, a Sky News report highlighted that the Islamic Revolutionary Guard Corps (IRGC) had singled out ATGs as potential targets for cyber-attacks on gas stations.
Why ATGs Are a Critical Target
An ATG does more than just measure how much gas is left in a vendor’s tank. If an adversary gains control of one, the risks escalate quickly and can include:
- Blinded Leak Detection: A station could spill thousands of gallons of hazardous fuel into local water supplies without triggering an alarm.
- Economic Sabotage: Hackers could spoof inventory levels, tricking distributors into stopping fuel deliveries and creating artificial shortages.
How to Secure ATG Systems
To secure ATG systems against malicious exploitation, CISA and federal partners advise the following actions:
- Secure Internet Connection: Disconnect the ATG from the public internet entirely. If remote access or polling is required, place the device behind a secure VPN gateway.
- Update Passwords: Replace any factory-default passwords with long, unique, and complex credentials.
- Create a Firewall: Place industrial firewalls in front of ATG systems to filter unauthorized access and restrict incoming connections.
- Make Sure Networks Are Segmented: Ensure back-office and Point-of-Sale (POS) networks are properly segmented from OT assets so a breach in one system does not compromise the fuel tanks.
- Prepare for Manual Operations: Have manual gauging and control procedures ready to deploy in the event of a network outage or cyber incident.
Iran’s History of Targeting U.S. Infrastructure
Iran has a long and evolving history of targeting U.S. infrastructure, primarily through cyber operations that experts say are designed to exploit vulnerabilities in critical systems such as banking networks, water utilities, and industrial control systems.
Read more High School Student May Be Infected With Hantavirus in New York
U.S. officials and analysts broadly agree these activities are often carried out by groups linked to the IRGC, which uses cyber tools as a relatively low-cost, deniable way to project power against a more technologically advanced adversary.
Iranian-linked actors have repeatedly targeted sectors including energy, government, healthcare, and financial services, reflecting a strategy that blends disruption, espionage, and deterrence.
One of the earliest high-profile incidents came between 2011 and 2013, when Iranian hackers launched a sustained campaign of distributed denial-of-service (DDoS) attacks against nearly 50 U.S. financial institutions, periodically knocking bank websites offline and costing tens of millions of dollars in remediation.
During the same period, an Iranian hacker infiltrated the control system of the Bowman Avenue Dam in Rye Brook, New York, gaining access to sensitive operational data in what U.S. prosecutors later described as a troubling test case for potential attacks on physical infrastructure. While no damage was ultimately done, the breach underscored how relatively unsophisticated intrusions could still expose critical systems to foreign adversaries.
Analysts often trace Iran’s more aggressive cyber posture to the discovery of the Stuxnet virus in 2010, a sophisticated cyberweapon widely attributed to the U.S. and Israel that damaged Iran’s nuclear facilities. In the years since, Tehran has invested heavily in cyber capabilities, shifting from basic website defacements and data theft toward more advanced operations involving destructive malware and attempts to manipulate industrial control systems.
These tools are specifically designed to target the types of programmable logic controllers and Supervisory Control and Data Acquisition (SCADA) systems that underpin modern infrastructure, raising concerns about potential real-world impacts.
More recently, U.S. agencies have warned Iran-linked cyber actors are actively probing and, in some cases, disrupting American infrastructure, including water systems, energy networks, and local government operations. A joint advisory last month said hackers had exploited industrial control devices to cause operational disruption and financial losses across multiple sectors, marking what officials described as an escalation in tactics.
Experts say the pattern reflects a broader Iranian doctrine: using cyber operations to signal capability and retaliate against geopolitical pressure, while stopping short of large-scale attacks that could trigger a direct military response.
What Happens Next
Investigations remained ongoing Friday, but officials told CNN that it may not be possible to fully determine whether Iran, or another country, was responsible for the hacking due to the lack of forensic evidence left behind.
Read more Deion Sanders Sends Strong Message About Browns GM Andrew Berry
