Iranian-affiliated hackers broke into automatic tank gauge (ATG) systems monitoring fuel storage at gas stations across multiple states, U.S. officials suspect, exploiting devices that operators left exposed online with no password protection, CNN reported Thursday.

The hackers reportedly manipulated display readings on the fuel tanks but did not alter actual fuel levels or cause physical damage, according to sources briefed on the activity. No injuries or spills have been reported.

The intrusion exposed a more unsettling risk: a compromised ATG could mask a genuine gas leak, allowing flammable vapors to accumulate undetected while monitoring software showed everything normal, Security Magazine reported.

“At this time, no damage or harm has been reported from this incident,” Security Magazine noted, while flagging that “theoretically, the hackers could’ve made a gas leak pass by undetected.”

The breach did not require sophisticated tools. Attackers needed only to locate internet-exposed ATGs – something security researchers have been flagging publicly since at least 2024 – and walk through an open door. 

CISA has recently issued multiple advisories identifying critical vulnerabilities in widely deployed ATG systems, and researchers at BitSight Technologies identified thousands of internet-exposed ATG systems across gas stations, power plants, airports, and military bases years before the suspected Iranian campaign began.

A definitive forensic attribution for the ATG intrusions may never arrive: the lack of physical damage limits the evidence trail. Iran’s documented history of targeting fuel infrastructure, combined with the timing of the broader OT campaign, keeps it at the top of the suspect list.

Federal agencies have spent years urging operators to take ATG systems offline entirely or place them behind firewalls, enforce authentication, and network-segment industrial control devices from public internet access, but the gas station sector has ignored that guidance at scale.