GoKawiilOver 900 automatic tank gauge (ATG) systems across the United States, used to monitor fuel and chemical storage tanks across various critical infrastructure sectors, have been found exposed online and are vulnerable to ongoing attacks.
ATG systems are electronic monitoring devices used to remotely track fuel, chemicals, or other liquids in storage tanks, automating inventory control, environmental leak detection, and regulatory compliance. While they're commonly used at gas stations to monitor fuel tank levels, they can also be found in industrial settings to track chemical storage tanks.
On Tuesday, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the NSA, the Department of Energy, and other U.S. government partners issued a joint advisory warning critical infrastructure organizations to secure internet-exposed ATG systems against ongoing attacks.
The federal agencies warned that threat actors target such devices to alter system settings in command execution attacks after exploiting various security flaws, including hardcoded credentials, authentication bypasses, SQL injection vulnerabilities, OS command execution flaws, and privilege escalation weaknesses.
"The recent malicious cyber activity observed by the authoring organizations—which the U.S. government has not yet attributed to a nation-state or threat actor group—involves cyber threat actors compromising internet-exposed ATG systems and subsequently modifying them through command execution," the joint advisory warned.
As CISA cautioned, following successful compromises, the attackers could disable system alerts, increasing the risk of leaks or equipment failures and even causing permanent damage to the targeted tank systems.
In light of CISA's advisory, Internet security watchdog Shadowserver warned today that over 1,000 ATG systems were exposed online, with the vast majority (909 devices) in the United States.
Map of ATG systems exposed online (Shadowserver)
"We added scanning of Automatic Tank Gauge (ATG) systems to our Accessible ICS reporting with 1061 IPs seen on 2026-06-05 (on port 10001/tcp)," Shadowserver said. "This is after weeding out vast majority which appear to be honeypots (including ports 8001/9001)."
Critical infrastructure organizations are advised to restrict remote access to ATG systems from the Internet as soon as possible and implement controlled access through firewalls, VPNs, or access control lists.
... continue reading