More than 900 automatic tank gauge (ATG) systems across the United States, used to monitor oil and chemical storage tanks in various critical infrastructure sectors, have been found exposed online and are vulnerable to ongoing attacks.
ATG systems are electronic monitoring devices used for remote tracking of fuel, chemicals, or other liquids in storage tanks, automated inventory control, environmental leak detection, and regulatory compliance. Although they are often used at gas stations to monitor fuel tank levels, they can also be found in industrial settings to monitor chemical storage tanks.
On Tuesday, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the NSA, the Department of Energy, and other US government partners issued a joint warning to critical infrastructure organizations to protect cyber-exposed ATG systems against ongoing attacks.
Government agencies have warned that threat actors are targeting such devices to change system settings in command execution attacks after exploiting various security flaws, including hard-coded credentials, authentication bypasses, SQL injection vulnerabilities, OS command execution errors, and privilege escalation vulnerabilities.
“The latest malicious cyber activity observed by regulatory agencies – which the US government has not yet identified as being perpetrated by a state or group of threat actors – involves threat actors compromising ATG systems exposed on the Internet and modifying them by issuing a command,” the joint warning said.
As CISA has warned, following a successful compromise, attackers can disable system warnings, increase the risk of leaks or equipment failure and cause permanent damage to targeted tank systems.
Following CISA’s advice, Internet security watchdog Shadowserver warned today that more than 1,000 ATG systems have been exposed on the Internet, with the majority (909 machines) in the United States.
“We added a scan of Automatic Tank Gauge (ATG) systems to our ICS reachability report with 1061 IPs seen on 2026-06-05 (port 10001/tcp),” Shadowserver said. “This is after weeding out a lot of weeds that appear to be honeypots (including ports 8001/9001).”
Critical infrastructure organizations are advised to restrict remote access to ATG systems from the Internet as soon as possible and use controlled access through firewalls, VPNs, or access control lists.
They should also replace default passwords on vulnerable devices with strong credentials, apply security updates, monitor systems for unauthorized changes, and use multi-factor authentication where possible.
The CISA warning comes after a May CNN report that Iranian hackers had breached Internet-connected ATG systems at dozens of gas stations across the United States. Iranian hacking groups have been linked to these incidents based on their past history of targeting fuel control systems and other industrial control technology.
After hacking the devices with weak or non-existent passwords, the attackers reportedly used the display readings but did not change the actual fuel levels. Although these incidents did not cause any physical damage, they raise concerns that such attacks may interfere with automatic fuel leak detection and similar safety-related functions.
In April, another joint advisory issued by US government agencies linked Iranian state-backed hackers to attacks targeting Rockwell Automation/Allen-Bradley PLC devices starting in March 2026, causing financial losses and operational disruptions.
Cybersecurity company Censys reported one day later that 74.6% (3,891 managers) of such industrial control systems found exposed on the Internet worldwide were from the United States.
Security teams penetrate 54% of successful attacks and monitor 14%. Some walk around the area without being seen.
The Picus white paper shows how breaches and attack simulations evaluate your SIEM and EDR rules so that threats stop slipping through detection.
Get a white paper
