Full Report
Over 900 automatic tank gauge (ATG) systems across the United States, used to monitor fuel and chemical storage tanks across various critical infrastructure sectors, have been found exposed online and are vulnerable to ongoing attacks. [...]
Analysis Summary
# Incident Report: Exposure and Targeted Attacks on US Automatic Tank Gauge (ATG) Systems
## Executive Summary
Over 900 Automatic Tank Gauge (ATG) systems in the United States have been identified as internet-exposed and are currently being targeted by cyber threat actors. These systems, used to monitor fuel and chemical storage at gas stations and industrial sites, are being compromised via command execution attacks to modify system settings and disable alerts. While recent reported breaches have primarily involved display manipulation, the potential for catastrophic environmental leaks and permanent equipment damage remains high.
## Incident Details
- **Discovery Date:** June 5, 2026 (Shadowserver scanning report)
- **Incident Date:** Ongoing (Advisories issued June 2026; related activity traced back to March 2026)
- **Affected Organization:** Multiple critical infrastructure entities and gas station operators
- **Sector:** Energy / Critical Infrastructure / Industrial Control Systems (ICS)
- **Geography:** United States (909 of ~1,061 global exposures)
## Timeline of Events
### Initial Access
- **Date/Time:** March 2026 – Ongoing
- **Vector:** Exploitation of internet-exposed Industrial Control Systems (ICS).
- **Details:** Actors utilized weak/default credentials and unpatched vulnerabilities (SQLi, Auth Bypass) to gain access via Port 10001/tcp.
### Lateral Movement
- **Details:** While not explicitly detailed in the brief, the advisory warns that compromising these edge devices can serve as a pivot point for privilege escalation within the local industrial network.
### Data Exfiltration/Impact
- **Details:** Attackers modified system settings and display readings. In previous incidents linked to Iranian actors, display screens were manipulated to show custom messages or false readings.
### Detection & Response
- **How it was discovered:** Initial reports by CNN (May 2026) followed by a formal joint advisory from CISA, FBI, and NSA on June 2, 2026.
- **Response actions taken:** Shadowserver conducted internet-wide scanning to identify exposed IPs; federal agencies issued remediation guidance to critical infrastructure owners.
## Attack Methodology
- **Initial Access:** Direct connection to internet-exposed ports (10001/tcp); exploitation of default/weak passwords.
- **Persistence:** Not specified, but generally achieved through modified system settings.
- **Privilege Escalation:** Use of known OS command execution and privilege escalation vulnerabilities.
- **Defense Evasion:** Use of honeypot-aware scanning (avoiding ports 8001/9001).
- **Credential Access:** Exploitation of hardcoded credentials.
- **Discovery:** Publicly accessible ICS scanning (e.g., Censys, Shadowserver).
- **Lateral Movement:** N/A (Focus is on direct device impact).
- **Collection:** Remote monitoring of tank levels and chemical inventories.
- **Exfiltration:** N/A.
- **Impact:** Disabling system alerts, altering sensor readings, and command execution leading to potential physical damage or environmental leaks.
## Impact Assessment
- **Financial:** Risk of significant cleanup costs if leak detection is disabled.
- **Data Breach:** Exposure of critical infrastructure inventory levels and system configurations.
- **Operational:** High disruption; loss of automated inventory control and regulatory compliance monitoring.
- **Reputational:** Public concern regarding fuel supply safety and environmental protection.
## Indicators of Compromise
- **Network indicators:** Traffic on Port 10001/tcp [defanged: 10001\[.\]tcp].
- **Behavioral indicators:** Unauthorized modification of tank level displays; disabled environmental alerts or leak alarms.
## Response Actions
- **Containment measures:** Restricting remote access to ATGs from the public internet using firewalls and VPNs.
- **Eradication steps:** Changing default passwords to high-entropy credentials; applying vendor security patches for SQLi and command execution flaws.
- **Recovery actions:** Reverting modified system settings to authorized states; verifying the integrity of sensor data.
## Lessons Learned
- **Key takeaways:** Critical infrastructure components (ATGs) are frequently overlooked in enterprise security audits despite their role in environmental safety.
- **Gaps identified:** A high number of ICS devices remain connected to the public internet without even basic password protection or firewalling.
## Recommendations
- **Zero Exposure:** Transition ATG systems to an air-gapped network or secure them behind a VPN with Multi-Factor Authentication (MFA).
- **Asset Inventory:** Conduct regular scans to identify "shadow" ICS devices exposed to the internet.
- **Hardening:** Disable unnecessary services and change all default manufacturer credentials immediately upon deployment.