The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued a joint advisory warning operators of Automatic Tank Gauge (ATG) systems about ongoing, targeted cyberattacks. Unattributed threat actors are compromising internet-exposed ATG devices, which are critical for monitoring fuel and other liquids in several key infrastructure sectors. The attackers have demonstrated the ability to disable safety alerts, potentially leading to undetected fuel leaks or other hazardous situations. The agencies are urging immediate defensive actions, including removing ATG systems from public-facing networks, strengthening password security, and implementing multi-factor authentication.
Automatic Tank Gauge (ATG) systems are essential components in the operational technology (OT) networks of the energy, chemical, food and agriculture, and transportation sectors. They provide remote monitoring of fuel levels, temperature, and leak detection in storage tanks. According to the joint advisory, threat actors are actively scanning the internet for and compromising vulnerable ATG systems.
The primary attack vector is the direct exposure of ATG serial ports and web interfaces to the internet. Attackers are exploiting this exposure to gain unauthorized access and execute remote commands. A key malicious action observed is the disabling of system alerts. This manipulation could prevent operators from being notified of critical physical events, such as fuel spills or overfills, creating significant environmental and safety hazards. While the U.S. government has not made a formal attribution, previous investigations into similar attacks have suggested a potential link to Iranian state-sponsored actors.
The attacks leverage fundamental security weaknesses, primarily the exposure of OT systems to the internet. Threat actors are exploiting default or weak credentials to access ATG web interfaces and command functions.
8001, 9001, and 10001.T0886 - Remote Services: Attackers are accessing and manipulating ATG systems through their exposed remote interfaces.T1078 - Valid Accounts: The compromise likely involves the use of default or easily guessable passwords to gain access.T1212 - Exploitation of Remote Services: Gaining access to manipulate system functions, such as disabling alerts.T0829 - Impair Process Control: By disabling alerts, attackers directly impair the process control function of the ATG system, which could lead to loss of safety.The potential impact of these attacks is severe. By disabling safety alerts, attackers can create a disconnect between the physical state of the fuel tank and the operator's monitoring system. This can lead to:
No specific Indicators of Compromise (IOCs) such as IP addresses, domains, or file hashes were provided in the source articles.
The following patterns could indicate related activity or vulnerable systems:
80019001100018001, 9001, 10001 from unknown external IP addresses.Security teams should proactively hunt for and secure ATG systems.
8001, 9001, and 10001.CISA and the NSA recommend immediate action to harden ATG systems.
FBI and DOE join CISA/NSA warning on ATG attacks, detailing expanded impacts including supply chain disruption and new mitigation steps.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has now partnered with the FBI, NSA, and Department of Energy to issue an urgent warning regarding ongoing cyberattacks targeting internet-exposed automatic tank gauge (ATG) systems. The updated advisory provides more specific details on potential impacts, including fuel supply chain disruptions, economic damage, and explicit safety hazards like fires or explosions from manipulated readings. New mitigation recommendations include network segmentation and regular firmware updates, alongside previous advice on removing systems from public internet exposure and strengthening credentials. Attackers are using internet scanning (T1595) and exploiting public-facing applications (T1190) to manipulate control systems (T0829, T0814).

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.