Fuel Tank Breaches Expand Scope of Iran's Cyber Offensive

Fuel Tank Breaches Expand Scope of Iran's Cyber Offensive

Newsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsEndpoint SecurityChina's Webworm Uses Discord, Microsoft Graphs to Hack EU GovernmentsChina's Webworm Uses Discord, Microsoft Graphs to Hack EU GovernmentsbyAlexander CulafiMay 22, 20264 Min ReadApplication SecurityGitHub Confirms Breach, 4K Internal Repos StolenGitHub Confirms Breach, 4K Internal Repos StolenbyAlexander CulafiMay 20, 20263 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCyberattacks & Data BreachesCyber RiskICS/OT SecurityCybersecurity OperationsNewsFuel Tank Breaches Expand Scope of Iran's Cyber OffensiveSecurity experts have long warned that insecure automatic tank gauge (ATG) systems exposed on the Internet can be tampered with by threat actors.Elizabeth Montalbano,Contributing WriterMay 18, 20265 Min ReadSource: Hakan Gider via Alamy Stock PhotoUPDATEIranian hackers reportedly breached systems that monitor fuel levels in storage tanks serving gas stations around the US, demonstrating yet again the changing nature of modern warfare and Iran's cyber reach beyond its active military engagement with the US and Israel.Threat actors from Iran allegedly exploited automatic tank gauge (ATG) systems that were exposed online and lacked password protections, according to a report published by CNN Friday that cited sources familiar with the incident. Attackers managed to change display readings on the tanks but not the actual levels of fuel in them, according to the report.For more than a decade, security experts have warned about the risks posed by insecure ATG systems that can be hacked or tampered with by threat actors. Last year, an RSAC Conference 2025 session detailed how an attack on such systems by a skilled threat actor could trigger cascading effects leading to a disruption of critical infrastructure. Related:Processes & Culture Top Reasons Behind Data BreachesIran is the suspected perpetrator of the recent attacks due to its history of targeting gas tank systems, though lack of forensic evidence makes it difficult to identify the attacker with certainty, according to the report. It also makes sense that Iran would be the culprit, given that it's currently engaged in an ongoing conflict with the US and Israel that has resulted in the closure of the Strait of Hormuz — a critical waterway for the transport of oil in the region. Though active military engagement is on pause for now due to a shaky ceasefire, oil prices remain volatile and higher than usual — which, in turn, has caused the price of fuel to rise worldwide, creating disruption for industries and citizens alike.The Cybersecurity and Infrastructure Security Agency (CISA) is aware of reports of malicious cyber activity targeting U.S. based automated tank gauge (ATG) systems across multiple critical infrastructure sectors, CISA Acting Director Nick Andersen tells Dark Reading, though the agency did not confirm if Iran was behind the attacks.The CISA is encouraging all organizations using ATG systems to take steps to protect them, including ensuring the systems are not exposed to the Internet, implementing strong passwords, and auditing and monitoring logs, he says. "As always, CISA stands ready to provide voluntary support and cybersecurity to aid organizations in responding to and recovering from incidents," Andersen says.No Damage from ATG Compromises for NowAt this point, there appears to be no significant disruption to fuel-related critical infrastructure in the US due to the attack. However, the incident is a clear example of "how geopolitical conflict no longer stays confined to traditional battlefields," Louis Eichenbaum, federal chief technology officer (CTO) at security firm ColorTokens, tells Dark Reading via email.Related:Windows Zero-Day Barrage Continues After Patch TuesdayIndeed, critical infrastructure already has been both target and pawn in the kinetic war; both Iranian and US/Israeli forces have either targeted or threatened to destroy critical infrastructure in rival countries via cyber or bombing attacks, or both. Last month, the US government warned that Iran-affiliated threat actors were disrupting US critical infrastructure through attacks on Internet-exposed operational technology (OT) devices across various sectors. President Trump, meanwhile, has repeatedly threatened to destroy power plants and other infrastructure in Iran if its leaders didn't capitulate to US demands.While neither side has dealt a massive blow yet, even a seemingly "minor" incident like the one reported last week "can send a strategic message: we can reach into your communities and affect daily life," Eichenbaum says.Cyberattacks in general have become commonplace as part of modern military conflict over the past two decades, so the report of the fuel tank-monitor attack is "nothing new to see," says John Gallagher, vice president of Viakoo Labs at Viakoo.Related:Congress Puts Heat on Instructure After Canvas OutageSince the beginning of the current conflict — which started on Feb. 28 when the US and Israel bombed Iran — analysts have predicted that Iran would use cyber capabilities against its adversaries, given that it can't evenly match them militarily. As if on cue soon after the war started, Iranian threat groups and other supporters launched a barrage of cyberattacks to support the country's military effort."Iranian-affiliated actors have shown they can exploit exposed, poorly secured OT systems and use them for disruption, intimidation, and strategic signaling," Eichenbaum says. Be Prepared for AnythingWhat this means is that US critical infrastructure providers need to be prepared to defend against even unsophisticated attacks that target what may seem like insignificant weaknesses, Eichenbaum says. "The most urgent risk is often basic exposure: Internet-facing OT, weak access controls, flat networks, poor visibility, and limited segmentation," he tells Dark Reading. "Strategic defense must focus on resilience, containment, and reducing blast radius."That picture can be helpful to mitigating impact, which can be far greater than those on the physical battlefield and extend well beyond the region where the military conflict is taking place. In critical infrastructure attacks, the stakehholders are, "in theory, everyone," observes Gallagher, who cited the Colonial Pipeline incident as an example of how such an attack can have a ripple effect across large swathes of the population. That attack in May 2021 triggered a fuel shortage and price hikes that prompted four US states along the East Coast to declare a state of emergency.To minimize these disruptive scenarios, critical infrastructure defenders need structured policies that are audited and automated solutions that ensure compliancy, similar to how enterprise organizations handle matters of secrity, he says. In fact, he adds, in the future, "we will likely see OT and IoT systems governed within organizations no differently than IT cybersecurity is."This article was updated at 7:00 a.m. ET on May 19 to reflect comments from CISA Acting Director Nick Andersen.About the AuthorElizabeth MontalbanoContributing WriterElizabeth Montalbano is freelance writer, editor, and  journalist with 30 years of professional experience and a master's degree from Arizona State University. Her areas of expertise include enterprise technology, cybersecurity, business, and culture. During her long career, Elizabeth has lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City. She specializes in news coverage and analysis, using her years of experience to look at the current state of cybersecurity with a critical gaze. She currently resides in a village on the southwest coast of Portugal, where in her free time she enjoys surfing, hiking with her dogs, growing plants, and playing and performing as a singer and musician.See more from Elizabeth MontalbanoWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Organizations Are Managing Incident ResponseHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security ManagementAccess More ResearchWebinarsBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackDefending in the Shadow Era: When the CVE Feed Goes DarkBuilding SecOps That Make the Most of Every DollarAI-Powered Cybersecurity for Resource-Constrained OrganizationsAI-Powered Credential Security: Intelligence Without ExposureMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured crit