Executive Summary
In May 2026, multiple US gas stations experienced cyber intrusions targeting their Automatic Tank Gauge (ATG) systems, which are responsible for monitoring fuel levels in storage tanks. Attackers exploited ATG systems that were exposed to the internet without password protection, allowing them to manipulate display readings but not the actual fuel levels. While no physical damage or data theft was reported, the breaches raised significant safety concerns, particularly the risk that a real gas leak could be concealed from operators. The attacks are part of a broader trend of Iranian cyber activity targeting US critical infrastructure, especially since the escalation of US-Israeli hostilities in late February 2026. Attribution to Iranian actors is based on historical targeting patterns and tactics, techniques, and procedures (TTPs), though definitive technical evidence is lacking. The incident highlights persistent vulnerabilities in operational technology (OT) systems within the oil and gas sector and underscores the need for urgent security improvements.
Technical Information
The attackers gained unauthorized access to ATG systems by exploiting two primary weaknesses: internet exposure and lack of authentication. ATGs are specialized OT devices used to monitor fuel levels, temperature, and other parameters in underground storage tanks at gas stations. Many of these systems were accessible over the internet without any password protection, making them susceptible to remote exploitation.
Once inside, attackers manipulated the display readings on the ATG interfaces. This manipulation did not affect the actual fuel levels or physical operation of the tanks, but it introduced the risk that a genuine gas leak or other hazardous condition could be masked from operators. The ability to alter displayed data without changing underlying physical states is a classic example of process manipulation in industrial control systems (ICS).
No evidence of malware deployment or use of custom hacking tools was found in this incident. The attack relied solely on exploiting weak security configurations—specifically, the absence of authentication and the presence of internet-facing interfaces. This approach aligns with known Iranian threat actor behavior, which often targets "low-hanging fruit" in US critical infrastructure by scanning for exposed OT assets and leveraging weak remote access controls.
The technical weaknesses exploited in this incident map to several MITRE ATT&CK techniques for both enterprise and ICS environments. These include T1190 (Exploit Public-Facing Application), T1133 (External Remote Services), T1078 (Valid Accounts, in cases of weak or default credentials), and T0832 (Manipulation of Control in ICS). The attackers' ability to manipulate display data without detection also raises concerns about potential use of T0814 (Indicator Removal on Host), though this was not confirmed in the available evidence.
Historically, Iranian cyber operations have targeted a range of US critical infrastructure sectors, including water utilities, energy assets, and industrial control systems. The Islamic Revolutionary Guard Corps (IRGC) and affiliated groups have previously identified ATGs as potential targets for disruptive cyberattacks, as documented in a 2021 Sky News report and corroborated by US government and private sector analyses. The current campaign fits a broader pattern of Iranian activity that seeks to cause operational disruption, erode public confidence, and create economic stress.
Sector-specific impacts of this incident include heightened operational risk for the oil and gas sector, potential for supply chain disruption, and increased public anxiety over the safety and reliability of fuel infrastructure. The breaches also serve as a warning to other critical infrastructure operators about the dangers of exposed OT systems and the importance of robust authentication and network segmentation.
Attribution to Iranian actors is supported by the consistency of TTPs, sector targeting, and the timing of increased Iranian cyber activity following the escalation of US-Israeli hostilities in February 2026. However, the lack of direct forensic evidence—such as malware samples, unique infrastructure, or code artifacts—limits the confidence of attribution to a medium level.
Affected Versions & Timeline
The affected systems were Automatic Tank Gauge (ATG) devices deployed at gas stations across multiple US states. The breaches specifically targeted ATGs that were accessible via the internet and lacked password protection or other forms of authentication. No specific vendor or model information was disclosed in the available sources.
The timeline of the incident is as follows: Attacks were detected and reported in May 2026, with related Iranian cyber activity noted as increasing since late February 2026, coinciding with the onset of the US-Israeli war on Iran. This period has seen a broader uptick in Iranian cyber operations against US critical infrastructure, as documented by the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) and other agencies.
Threat Activity
The threat activity observed in this incident is characterized by opportunistic exploitation of exposed OT systems, specifically ATGs at gas stations. Attackers scanned for internet-facing ATG interfaces, identified those lacking authentication, and accessed the systems remotely. Once inside, they manipulated display readings, potentially masking hazardous conditions such as gas leaks.
This activity is consistent with known Iranian cyber operations, which have historically targeted US oil and gas infrastructure, water utilities, and other critical sectors. The use of simple, direct exploitation rather than sophisticated malware or custom tools reflects a focus on exploiting basic security lapses rather than developing advanced capabilities.
The broader context includes a significant increase in Iranian cyber activity since the escalation of US-Israeli hostilities in early 2026. Iranian actors have demonstrated a willingness to target critical infrastructure for both disruptive and psychological impact, aiming to erode public confidence and create operational stress. The lack of forensic evidence in this case is typical of Iranian operations, which often use proxy groups and avoid leaving digital footprints that could enable definitive attribution.
Mitigation & Workarounds
The following mitigation actions are prioritized by severity:
Critical: Immediately audit all ATG and other OT systems for internet exposure. Remove direct internet access wherever possible and place these systems behind firewalls or within segmented networks.
Critical: Enforce strong authentication on all remote access points to OT systems, including the use of complex, unique passwords and, where feasible, multi-factor authentication.
High: Conduct a comprehensive review of all OT assets for weak or default credentials. Change all default passwords and disable unused accounts.
High: Implement continuous monitoring and logging of access to OT systems. Ensure that logs are protected from tampering and regularly reviewed for signs of unauthorized access or manipulation.
Medium: Provide targeted security awareness training for operators and administrators of OT systems, emphasizing the risks of exposed interfaces and weak authentication.
Medium: Develop and regularly test incident response plans specific to OT environments, including scenarios involving manipulation of display data and potential masking of hazardous conditions.
Low: Engage with sector-specific Information Sharing and Analysis Centers (ISACs) and government agencies such as the NJCCIC for timely threat intelligence and best practices.
References
CNN, May 15, 2026: https://www.cnn.com/2026/05/15/politics/iran-hackers-tank-readers-gas-stations
Hindustan Times, May 16, 2026: https://www.hindustantimes.com/world-news/us-news/is-iran-hacking-us-fuel-systems-cyber-breaches-hit-gas-station-tank-monitors-across-states-says-report-101778914916033.html
NJCCIC, June 2026: https://www.cyber.nj.gov/threat-landscape/nation-state-threat-analysis-reports/iran-cyber-threat-operations
About Rescana
Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor cyber risks in their supply chain and critical infrastructure environments. Our platform enables continuous discovery of exposed assets, assessment of authentication practices, and monitoring for changes in the security posture of operational technology (OT) systems. For questions about this report or to discuss how Rescana can support your OT risk management efforts, please contact us at ops@rescana.com.
