US Agencies Warn of Ongoing Attacks Targeting Automatic Tank Gauge (ATG) Systems

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued a joint advisory warning operators of Automatic Tank Gauge (ATG) systems about ongoing, targeted cyberattacks. Unattributed threat actors are compromising internet-exposed ATG devices, which are critical for monitoring fuel and other liquids in several key infrastructure sectors. The attackers have demonstrated the ability to disable safety alerts, potentially leading to undetected fuel leaks or other hazardous situations. The agencies are urging immediate defensive actions, including removing ATG systems from public-facing networks, strengthening password security, and implementing multi-factor authentication.

Threat Overview

Automatic Tank Gauge (ATG) systems are essential components in the operational technology (OT) networks of the energy, chemical, food and agriculture, and transportation sectors. They provide remote monitoring of fuel levels, temperature, and leak detection in storage tanks. According to the joint advisory, threat actors are actively scanning the internet for and compromising vulnerable ATG systems.

The primary attack vector is the direct exposure of ATG serial ports and web interfaces to the internet. Attackers are exploiting this exposure to gain unauthorized access and execute remote commands. A key malicious action observed is the disabling of system alerts. This manipulation could prevent operators from being notified of critical physical events, such as fuel spills or overfills, creating significant environmental and safety hazards. While the U.S. government has not made a formal attribution, previous investigations into similar attacks have suggested a potential link to Iranian state-sponsored actors.

Technical Analysis

The attacks leverage fundamental security weaknesses, primarily the exposure of OT systems to the internet. Threat actors are exploiting default or weak credentials to access ATG web interfaces and command functions.

• Attack Vector: The primary vector is the exposure of ATG system interfaces on default TCP ports, specifically 8001, 9001, and 10001.
• TTPs: The attackers' tactics, techniques, and procedures (TTPs) align with several MITRE ATT&CK techniques:
  • T0886 - Remote Services: Attackers are accessing and manipulating ATG systems through their exposed remote interfaces.
  • T1078 - Valid Accounts: The compromise likely involves the use of default or easily guessable passwords to gain access.
  • T1212 - Exploitation of Remote Services: Gaining access to manipulate system functions, such as disabling alerts.
  • T0829 - Impair Process Control: By disabling alerts, attackers directly impair the process control function of the ATG system, which could lead to loss of safety.

Impact Assessment

The potential impact of these attacks is severe. By disabling safety alerts, attackers can create a disconnect between the physical state of the fuel tank and the operator's monitoring system. This can lead to:

• Operational Disruption: Inability to accurately track fuel inventory can disrupt logistics and operations in the transportation and energy sectors.
• Physical and Environmental Hazards: Undetected fuel leaks or spills can cause significant environmental damage, create fire hazards, and pose a risk to public safety.
• Financial Loss: The cost of cleaning up spills, repairing damage, and regulatory fines can be substantial.
• Regulatory Scrutiny: Incidents involving critical infrastructure will likely lead to increased regulatory oversight and compliance requirements for affected organizations.

IOCs — Directly from Articles

No specific Indicators of Compromise (IOCs) such as IP addresses, domains, or file hashes were provided in the source articles.

Cyber Observables — Hunting Hints

The following patterns could indicate related activity or vulnerable systems:

Detection & Response

Security teams should proactively hunt for and secure ATG systems.

1. Asset Discovery: Use network scanning tools (e.g., Nmap, Shodan) to identify any ATG systems exposed to the internet from your organization's IP space.
2. Network Monitoring: Implement network traffic monitoring (D3-NTA: Network Traffic Analysis) to detect and alert on any external communication attempts to or from ATG systems, especially on ports 8001, 9001, and 10001.
3. Log Analysis: Regularly review ATG system logs for unauthorized access, configuration changes, or commands to disable alerts. Forward these logs to a central SIEM for correlation and analysis.
4. Configuration Audits: Periodically audit the configuration of ATG systems to ensure they have not been tampered with and that alerts are functioning correctly.

Mitigation

CISA and the NSA recommend immediate action to harden ATG systems.

1. Isolate Systems: The most critical step is to remove ATG systems from the public internet. Use a VPN, private network, or firewall to restrict access to authorized personnel only. This aligns with D3FEND's Network Isolation (D3-NI) technique.
2. Strong Password Policy: Immediately change all default passwords on ATG systems to strong, unique passwords. Implement a strong password policy (D3-SPP: Strong Password Policy).
3. Multi-Factor Authentication (MFA): Enable phishing-resistant MFA (D3-MFA: Multi-factor Authentication) on all accounts that can access ATG systems, especially those with administrative privileges.
4. Software Updates: Work with certified ATG service providers to ensure all systems are running the latest manufacturer-issued software and security patches (D3-SU: Software Update).