Executive Summary
Recent cybersecurity investigations have uncovered a critical threat to US fuel infrastructure: over 900 Automatic Tank Gauge (ATG) systems, integral to fuel storage monitoring at gas stations and industrial sites, are exposed to the public internet and actively targeted by sophisticated threat actors. These attacks leverage a spectrum of severe vulnerabilities, including hardcoded credentials, authentication bypass, OS command injection, SQL injection, and privilege escalation. Notably, Iranian state-backed advanced persistent threat (APT) groups have been linked to several incidents, with exploitation confirmed in the wild. The compromise of these systems poses significant risks, including disruption of fuel supply, environmental hazards, and potential lateral movement into broader critical infrastructure networks. This advisory provides a comprehensive technical analysis, threat actor profiling, exploitation evidence, victimology, and actionable mitigation strategies.
Threat Actor Profile
The primary threat actors targeting exposed ATG systems are believed to be Iranian state-sponsored APT groups, as identified by joint advisories from CISA, FBI, and NSA, as well as independent research from organizations such as the Shadowserver Foundation and Bitsight. These groups have a documented history of targeting industrial control systems (ICS) and critical infrastructure, with a particular focus on the energy and transportation sectors. Their tactics, techniques, and procedures (TTPs) include reconnaissance via mass internet scanning, exploitation of default or hardcoded credentials, and leveraging unpatched vulnerabilities for initial access. Once inside, these actors demonstrate proficiency in disabling safety mechanisms, manipulating operational data, and establishing persistence for further exploitation or disruption. The targeting of ATGs aligns with broader Iranian objectives to undermine US critical infrastructure resilience and create strategic leverage.
Technical Analysis of Malware/TTPs
The technical landscape of these attacks is characterized by exploitation of multiple high-severity vulnerabilities across several ATG product lines. The most commonly targeted devices include the Dover Fueling Solutions ProGauge MAGLINK LX Console, Maglink LX4, OPW SiteSentinel, Proteus OEL80000, Alisonic Sibylla, and Franklin TS-550 EVO. Vulnerabilities exploited include OS command injection (CWE-78), hardcoded credentials (CWE-798), authentication bypass (CWE-287), SQL injection (CWE-89), cross-site scripting (CWE-79), privilege escalation (CWE-269), and arbitrary file read (CWE-22). Many of these vulnerabilities are assigned critical CVSS scores, with several rated at 9.8 or higher.
Attackers typically initiate campaigns by scanning for internet-exposed ATGs, most frequently accessible via TCP port 10001. Exploitation often begins with the use of default or hardcoded credentials, which are widely published in vendor documentation and advisories. Where authentication is bypassed, attackers leverage command injection or SQL injection flaws to gain privileged access, execute arbitrary commands, and manipulate device configurations. Post-exploitation activities include disabling safety and leak detection alerts, altering tank readings, and pivoting to adjacent network assets. The MITRE ATT&CK for ICS framework maps these activities to techniques such as T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts), T1040 (Network Sniffing), and T1068 (Exploitation for Privilege Escalation).
Exploitation in the Wild
Multiple sources confirm active exploitation of exposed ATG systems in the US. The Shadowserver Foundation has identified over 1,000 internet-accessible ATGs globally, with 909 located in the United States. Real-world incidents include breaches reported by CNN in May 2026, where Iranian hackers manipulated display readings at several US gas stations, though fuel levels were not directly altered. CISA, FBI, and NSA joint advisories from June 2026 highlight ongoing campaigns targeting these devices, urging immediate remediation. Attackers have demonstrated the ability to disable critical safety alerts, potentially masking leaks or overfills, and to manipulate inventory data, which could disrupt fuel supply chains or facilitate further attacks on connected systems.
Victimology and Targeting
The primary victims of these attacks are organizations operating in the energy, transportation, and critical infrastructure sectors, with a focus on gas stations, chemical storage facilities, and industrial fuel depots. The geographic concentration is overwhelmingly in the United States, as evidenced by the distribution of exposed ATGs identified by Shadowserver and corroborated by CISA advisories. Victims range from small, independently operated gas stations to large national fuel retailers and logistics providers. The targeting pattern suggests a strategic intent to disrupt fuel distribution and create cascading effects across dependent sectors, including emergency services, transportation, and supply chain logistics.
Mitigation and Countermeasures
To mitigate the risk posed by exposed ATG systems, organizations must implement a multi-layered defense strategy. First, all ATGs should be removed from direct internet exposure; network segmentation, firewalls, and VPNs or access control lists should be employed to restrict remote access. Default and hardcoded credentials must be changed immediately, following vendor-specific guidance. All available firmware and software updates should be applied in accordance with the latest advisories from Dover Fueling Solutions, OPW, Franklin Fueling Systems, and other affected vendors. Continuous monitoring for unauthorized configuration changes, alert disablement, or anomalous system behavior is essential; organizations should enable logging and real-time alerting where possible. Where supported, multi-factor authentication should be enforced for all remote access to ATG management interfaces. Incident response plans should be updated to include scenarios involving ICS compromise, and staff should be trained to recognize and report suspicious activity.
References
BleepingComputer: Over 900 US gas station tank gauge systems exposed to attacks, Bitsight: Critical Vulnerabilities Discovered in Automated Tank Gauge Systems, CISA ICS Advisories: Dover Fueling Solutions ProGauge MAGLINK LX Console (ICSA-24-268-04), Alisonic Sibylla (ICSA-24-268-02), Franklin Fueling Systems TS-550 EVO (ICSA-24-268-03), OPW Fuel Management Systems SiteSentinel (ICSA-24-268-01), OMNTEC Proteus Tank Monitoring (ICSA-24-268-06), Shadowserver Foundation: ICS Accessible Reporting, University of Hawaii West Oahu Cyber Blog: Critical Vulnerabilities Uncovered in Automatic Tank Gauges, MITRE ATT&CK for ICS: ICS Matrix
About Rescana
Rescana delivers advanced third-party risk management (TPRM) solutions, empowering organizations to proactively identify, assess, and mitigate cyber risks across their extended supply chain and critical infrastructure. Our platform leverages real-time threat intelligence, automated risk scoring, and continuous monitoring to provide actionable insights and enhance organizational resilience. For further information or to discuss how Rescana can support your cybersecurity objectives, we are happy to answer questions at ops@rescana.com.
