US Agencies Warn of Ongoing Attacks Targeting Automatic Tank Gauge (ATG) Systems

CISA & NSA Warn of Ongoing Attacks Targeting Critical Fuel Monitoring Systems

HIGH
June 4, 2026
June 5, 2026
m read
Industrial Control SystemsCyberattackThreat Intelligence

Related Entities(initial)

Organizations

CISANSA

Products & Tech

Automatic Tank Gauge

Other

Iran

Full Report(when first published)

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued a joint advisory warning operators of Automatic Tank Gauge (ATG) systems about ongoing, targeted cyberattacks. Unattributed threat actors are compromising internet-exposed ATG devices, which are critical for monitoring fuel and other liquids in several key infrastructure sectors. The attackers have demonstrated the ability to disable safety alerts, potentially leading to undetected fuel leaks or other hazardous situations. The agencies are urging immediate defensive actions, including removing ATG systems from public-facing networks, strengthening password security, and implementing multi-factor authentication.


Threat Overview

Automatic Tank Gauge (ATG) systems are essential components in the operational technology (OT) networks of the energy, chemical, food and agriculture, and transportation sectors. They provide remote monitoring of fuel levels, temperature, and leak detection in storage tanks. According to the joint advisory, threat actors are actively scanning the internet for and compromising vulnerable ATG systems.

The primary attack vector is the direct exposure of ATG serial ports and web interfaces to the internet. Attackers are exploiting this exposure to gain unauthorized access and execute remote commands. A key malicious action observed is the disabling of system alerts. This manipulation could prevent operators from being notified of critical physical events, such as fuel spills or overfills, creating significant environmental and safety hazards. While the U.S. government has not made a formal attribution, previous investigations into similar attacks have suggested a potential link to Iranian state-sponsored actors.


Technical Analysis

The attacks leverage fundamental security weaknesses, primarily the exposure of OT systems to the internet. Threat actors are exploiting default or weak credentials to access ATG web interfaces and command functions.

  • Attack Vector: The primary vector is the exposure of ATG system interfaces on default TCP ports, specifically 8001, 9001, and 10001.
  • TTPs: The attackers' tactics, techniques, and procedures (TTPs) align with several MITRE ATT&CK techniques:

Impact Assessment

The potential impact of these attacks is severe. By disabling safety alerts, attackers can create a disconnect between the physical state of the fuel tank and the operator's monitoring system. This can lead to:

  • Operational Disruption: Inability to accurately track fuel inventory can disrupt logistics and operations in the transportation and energy sectors.
  • Physical and Environmental Hazards: Undetected fuel leaks or spills can cause significant environmental damage, create fire hazards, and pose a risk to public safety.
  • Financial Loss: The cost of cleaning up spills, repairing damage, and regulatory fines can be substantial.
  • Regulatory Scrutiny: Incidents involving critical infrastructure will likely lead to increased regulatory oversight and compliance requirements for affected organizations.

IOCs — Directly from Articles

No specific Indicators of Compromise (IOCs) such as IP addresses, domains, or file hashes were provided in the source articles.


Cyber Observables — Hunting Hints

The following patterns could indicate related activity or vulnerable systems:

Type
Port
Value
8001
Description
Default TCP port for some ATG web interfaces.
Type
Port
Value
9001
Description
Default TCP port for some ATG web interfaces.
Type
Port
Value
10001
Description
Default TCP port for some ATG serial ports.
Type
Network Traffic Pattern
Value
Inbound connections to ports 8001, 9001, 10001 from unknown external IP addresses.
Description
Could indicate scanning or exploitation attempts.
Type
Log Pattern
Value
Repeated failed login attempts followed by a successful login to ATG web interface.
Description
May indicate a brute-force attack.

Detection & Response

Security teams should proactively hunt for and secure ATG systems.

  1. Asset Discovery: Use network scanning tools (e.g., Nmap, Shodan) to identify any ATG systems exposed to the internet from your organization's IP space.
  2. Network Monitoring: Implement network traffic monitoring (D3-NTA: Network Traffic Analysis) to detect and alert on any external communication attempts to or from ATG systems, especially on ports 8001, 9001, and 10001.
  3. Log Analysis: Regularly review ATG system logs for unauthorized access, configuration changes, or commands to disable alerts. Forward these logs to a central SIEM for correlation and analysis.
  4. Configuration Audits: Periodically audit the configuration of ATG systems to ensure they have not been tampered with and that alerts are functioning correctly.

Mitigation

CISA and the NSA recommend immediate action to harden ATG systems.

  1. Isolate Systems: The most critical step is to remove ATG systems from the public internet. Use a VPN, private network, or firewall to restrict access to authorized personnel only. This aligns with D3FEND's Network Isolation (D3-NI) technique.
  2. Strong Password Policy: Immediately change all default passwords on ATG systems to strong, unique passwords. Implement a strong password policy (D3-SPP: Strong Password Policy).
  3. Multi-Factor Authentication (MFA): Enable phishing-resistant MFA (D3-MFA: Multi-factor Authentication) on all accounts that can access ATG systems, especially those with administrative privileges.
  4. Software Updates: Work with certified ATG service providers to ensure all systems are running the latest manufacturer-issued software and security patches (D3-SU: Software Update).

Timeline of Events

1
June 4, 2026
This article was published

Article Updates

June 5, 2026

Severity increased

FBI and DOE join CISA/NSA warning on ATG attacks, detailing expanded impacts including supply chain disruption and new mitigation steps.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has now partnered with the FBI, NSA, and Department of Energy to issue an urgent warning regarding ongoing cyberattacks targeting internet-exposed automatic tank gauge (ATG) systems. The updated advisory provides more specific details on potential impacts, including fuel supply chain disruptions, economic damage, and explicit safety hazards like fires or explosions from manipulated readings. New mitigation recommendations include network segmentation and regular firmware updates, alongside previous advice on removing systems from public internet exposure and strengthening credentials. Attackers are using internet scanning (T1595) and exploiting public-facing applications (T1190) to manipulate control systems (T0829, T0814).

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Editorial Standards & Analyst Review

CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.

Tags

ATGCISACritical InfrastructureICS SecurityNSAOT Security

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.