Suspected Iran-Linked Hackers Target U.S. Fuel Infrastructure Through Exposed Tank Monitoring Systems

A series of cyber intrusions into fuel monitoring systems at gas stations across the United States is raising new alarms about the fragility of industrial control systems that quietly underpin critical infrastructure. U.S. officials and private sector experts believe the activity may be linked to Iran, though attribution remains uncertain due to limited forensic evidence.

The attacks focus on automatic tank gauge systems, or ATGs, which track fuel levels in storage tanks at gas stations, airports, hospitals, and military facilities. Investigators say attackers were able to access some of these systems because they were exposed online without password protection. In several cases, hackers manipulated display readings but did not alter actual fuel levels.

Even without physical damage, the implications are serious. Unauthorized access to ATGs could allow attackers to mask leaks, disable safety alerts, or create hazardous conditions that go undetected. The incident underscores a long-standing concern within the cybersecurity community: operational technology environments are increasingly connected, but not always secured to match their expanded attack surface.

Ben Edwards, principal research scientist at Bitsight, warned that these systems represent a critical blind spot. “Automatic tank gauges are a prime example of the industrial control systems that underpin our most critical physical infrastructure – silently monitoring fuel levels at gas stations, military bases, airports, and hospitals around the clock. What today's reported activity makes clear is that these systems are an active target, and the attack surface is larger than most people realize.”

Bitsight’s research has identified thousands of ATG systems that remain directly accessible from the public internet. Edwards noted that new systems continue to come online in an exposed state, creating a persistent and growing risk. “Threat actors who gain access to these systems could overfill tanks and trigger environmental disasters, disable critical safety alarms, or override physical relays to cause permanent, irreversible damage to equipment,” he said.

The campaign reflects a broader shift in how cyber threats are evolving. While nation-state actors have historically dominated this space, advances in artificial intelligence are lowering the barrier to entry. According to Grady Summers, CEO of Netwrix, the ability to discover and exploit exposed systems is rapidly becoming commoditized.

“Last week the UK AI Security Institute published measurements showing that AI models' autonomous cyber capability has been doubling every 4.7 months since late 2024, and that the two most recent frontier models exceeded even that pace,” Summers said. “The ability to find exposed systems at scale is no longer a nation-state capability. It is becoming cheap and widely available.”

The ATG breaches also highlight deeper structural issues within operational technology environments. Many of these systems were originally designed to operate in isolation but have since been connected to enterprise networks for efficiency and remote management. That shift has introduced complex and often poorly understood access pathways.

“The ATG entry point is not the central problem,” Summers explained. “Once an attacker is inside an industrial system, the question is where the access paths lead. Credentials from a poorly governed environment can reach further than anyone intended, and most organizations do not have a clear map of what connects to what.”

Security experts say the real risk lies in accumulated access that has never been audited or removed. Over time, organizations build layers of permissions, service accounts, and system integrations that expand the potential blast radius of any breach.

“The organizations most at risk from incidents like this are not the ones making headlines this week,” Summers said. “They are the ones where access accumulated over years of operational growth and never got cleaned up.”

Iran has a documented history of probing U.S. infrastructure for vulnerabilities, often targeting systems that are exposed and lightly defended. Officials point to past incidents involving water utilities and fuel-related infrastructure as evidence of a pattern. Still, investigators caution that definitive attribution in this case may prove difficult.

The latest activity comes amid heightened geopolitical tensions and an uptick in cyber operations linked to state-backed groups. Security analysts say these campaigns are increasingly opportunistic, blending technical intrusion with psychological impact and media amplification.

For infrastructure operators, the takeaway is clear. The risk is no longer theoretical, and the exposure is not limited to high-profile targets. Systems that were once considered low priority or isolated are now part of a connected attack surface that adversaries can scan, access, and potentially manipulate at scale.

Edwards emphasized the urgency. “This is a known, documented risk and it demands urgent attention from both asset owners and policymakers.”