Exclusive: Hackers have breached tank readers at US gas stations; officials suspect Iran is responsible
By Sean Lyngaas, CNN
(CNN) — US officials suspect Iranian hackers are behind a series of breaches of systems that monitor the amount of fuel in storage tanks serving gas stations in multiple states, according to multiple sources briefed on the activity.
The hackers responsible have exploited automatic tank gauge (ATG) systems that were sitting online and unprotected by passwords, allowing them in some cases to tinker with display readings on the tanks but not the actual levels of fuel in them, the sources said.
The cyber intrusions are not known to have caused physical damage or harm, but the breaches have raised safety concerns because gaining access to an ATG could, in theory, allow a hacker to make a gas leak go undetected, according to private experts and US officials.
The sources briefed on the investigation said Iran’s history of targeting the gas tank systems is one reason the country is a top suspect. But, the sources cautioned, the US government may not be able to definitively determine who was responsible because of a lack of forensic evidence left by the hackers.
CNN has requested comment on the ATG hack from the US Cybersecurity and Infrastructure Security Agency. The FBI declined to comment.
If Iran’s involvement is confirmed, it would be the latest case of Tehran threatening critical infrastructure in the US homeland, which remains out of reach of Iranian drones and missiles, amid the US and Israeli war with Iran.
It could also raise a politically sensitive issue for the Trump administration by drawing further attention to higher gas prices caused by the war. Seventy-five percent of US adults surveyed in a recent CNN poll said the Iran war had a negative effect on their finances.
The hacking campaign is also a warning to many US critical infrastructure operators who have struggled to secure their systems despite years of federal exhortations.
Iranian hacking groups have long looked for low-hanging fruit — critical US computer systems sitting online that interact with oil and gas sites and water systems, for example. After Hamas attacked Israel on October 7, 2023, US officials blamed hackers affiliated with Iran’s Islamic Revolutionary Guard Corps for a series of attacks on US water utilities that displayed an anti-Israel message on equipment used to manage water pressure.
Cybersecurity researchers have been warning about internet-facing ATGs for over a decade. In 2015, security firm Trend Micro put mock ATG systems online to see what kind of hackers would target them. A pro-Iran group was quick to surface.
A 2021 report from Sky News cited internal documents from the Islamic Revolutionary Guard Corps that singled out ATGs as a potential target for a disruptive cyberattack on gas stations.
Iran’s cyber operations are ‘accelerating’
US intelligence agencies have long considered Iran’s cyber capabilities inferior to those of China or Russia. But a string of opportunistic hacks of key US assets during the war suggests Iran is a capable — and unpredictable — adversary.
Since the war began in late February, Tehran-linked hackers have caused disruptions at multiple US oil and gas and water sites, shipping delays at Stryker, a major US medical device maker, and have leaked the private emails of FBI Director Kash Patel.
Israeli organizations and citizens have also been heavily targeted by Tehran’s hackers during the latest war, while the US and Israeli military have used cyber operations to make their kinetic strikes more lethal.
Iran’s cyber activity during the war has shown “a significant increase in the scale, speed, and integration between cyber operations and psychological campaigns,” Yossi Karadi, head of the Israel’s cyber defense agency, the National Cyber Directorate, told CNN.
The Israel Defense Forces in March claimed to have struck a compound housing Iran’s “Cyber Warfare headquarters.” It’s unclear how many Iranian cyber operatives, if any, were killed in that strike.
Karadi would not comment on that matter, citing his agency’s mandate, which is limited to cyber defense.
“That said, from a defensive perspective, in recent month, we are seeing some degradation in parts of the hostile cyber activity,” he said. “The bottom line is that Iranian actors are under pressure and are trying to strike wherever they find an opening in cyberspace.
The last 18 months have shown that Iran’s cyber operations in general “are now accelerating with faster iteration, more layered hacktivist personas, and likely AI-driven scaling for reconnaissance and phishing,” said Allison Wikoff, a director on PwC’s threat intelligence team with over a decade of experience tracking Iran-based threats.
“What’s notably new in their cyber playbook is the swift creation of ‘good-enough’ malware, including the destructive wiping types, complemented by assertive hack-and-leak campaigns against media, dissidents, and key (US) civilian infrastructure,” Wikoff told CNN.
Part of that Iranian playbook is capitalizing on the wartime footing of an American media quick to pounce on claims made by all sides.
Hackers associated with Iran’s intelligence ministry and paramilitary arm maintain a number of “hacktivist” personas through which they use Telegram to exaggerate their exploits, publish stolen material and release promotional videos spliced to catchy music.
One of the groups, calling itself Handala after a Palestinian cartoon character, taunted Patel while claiming it had breached the FBI’s “impenetrable” computer systems. In reality, the hackers got into Patel’s years-old Gmail emails.
“The fact that every Handala claim leads to people freaking out demonstrates that the operational reality of the threat Iran poses is something that both government agencies and vendors don’t seem to be able to articulate,” said Alex Orleans, a cybersecurity researcher who has tracked Iran-linked hackers for years and leads threat intelligence at security firm Sublime Security.
Despite the string of hacks from Iran during the war, Orleans offered two reasons there haven’t been more.
“The first is that Iran appears to have lacked the lines of access to deliver sustained effects, or we likely would’ve seen more incidents like Stryker,” he told CNN. “The second is that the regime has clearly demonstrated its intention to endure, which further disincentivizes wanton cyber effects operations.”
‘Nobody’s paying a price for it’
For some current and former US officials, the aggressive and unpredictable nature of Iranian cyber operations take on added significance ahead of the midterm elections.
In the 2020 election, federal agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), blamed Iran for a scheme that impersonated the far-right Proud Boys to try to intimidate voters. During the 2024 US presidential election, Iranian hackers breached the Trump campaign and sent internal documents from it to news organizations.
Now, for the first election cycle in years, US military and intelligence officials have yet to activate a specialized team dedicated to detecting and thwarting foreign threats to elections — a move that one former Cyber Command official, Jason Kikta, deemed “strategic malpractice.”
“Between what we’ve watched Iran do in this war and what they ran in 2020, I’d be surprised if they sat the midterms out,” said Chris Krebs, who as CISA director in 2020 stood beside then-Director of National Intelligence John Ratcliffe as they warned the American public about Iranian and Russian influence operations.
“My bet is on information operations, not attacks on election systems,” Krebs told CNN. “That’s where the Russians and Chinese have gone, and for good reason. It’s cheap, it’s easy to scale with AI, and nobody’s paying a price for it.”
The-CNN-Wire
™ & © 2026 Cable News Network, Inc., a Warner Bros. Discovery Company. All rights reserved.
