The Cybersecurity and Infrastructure Security Agency, FBI and other federal authorities warned Tuesday that hackers have targeted automatic tank gauge systems in threat activity across multiple industry sectors.
Tank gauge, or ATG, systems are used to measure temperature, check fuel or other liquid levels and detect leaks, according to guidance released by the agencies. Hackers have targeted internet-exposed devices and used command execution to disable alerts or otherwise obscure the monitoring of these devices.
Authorities referenced multiple access vectors used to exploit flaws in tank gauge systems:
- Authentication bypass and hardcoded credentials allows hackers to gain access to device management interfaces.
- Operating system command execution and structured query language injection lets hackers execute arbitrary code and manipulate underlying databases.
- Privilege escalation allows hackers to gain full administrator privileges over the operating system and the device application.
Federal authorities are urging operators to secure these systems, by disconnecting them from the internet, changing default passwords and applying security patches.
Iran connection possible
Federal authorities have not attributed the attacks to any specific group, but CNN previously reported an investigation into the hack of ATG systems that serve gas stations in multiple U.S. states. The threat activity is suspected to be connected to Iran-linked hackers, but federal officials are not publicly making that link.
OT security experts cautioned there are limits to how a hacker might manipulate these devices.
“A malicious actor could take control of an ATG and disrupt its functions, including leak detection, but they cannot cause a leak with an ATG,” said Markus Mueller, field CISO at Nozomi Networks. “Similarly, a malicious actor could disrupt the ability to fill or use a tank to fill a vehicle.”
Besides use at gas stations, these devices are also widely used to monitor food for farm equipment and storage for bulk chemicals, according to the Food and Agriculture Information Sharing and Analysis Center.
“A compromised ATG can disrupt harvest operations, trigger false safety alerts, or interfere with food-grade storage, with downstream impacts on food and supply continuity,” Jonathan Braley, director of threat intelligence at Ag-ISAC, told Cybersecurity Dive.
CISA and the FBI previously warned about threat activity targeting U.S. water and energy utilities in connection with the Iran war. The threat advisory, issued in April, noted the attacks have led to operational and financial impacts.
Iran-linked threat groups have a history of targeting vulnerable water utilities and other industrial systems in the U.S., dating back to the Gaza war in 2023.
The authoring agencies include the Environmental Protection Agency, Department of Energy, National Security Agency, Department of Transportation, Transportation Security Administration and Department of Agriculture.
