Key Takeaways

• US officials suspect Iranian hackers breached fuel tank monitoring systems.
• Breaches involved unprotected systems posing theoretical safety risks.
• No physical damage reported, but safety concerns remain high.
• Political implications arise from rising gas prices and election cycles.

US officials suspect Iranian hackers are behind a series of cyber intrusions targeting systems that monitor fuel levels at gas stations across multiple states, according to sources briefed on the investigation. The breaches, which exploited unprotected online systems, have raised significant safety and political concerns amid the ongoing war between the US and Iran.

The intrusions occurred through automatic tank gauge (ATG) systems that were left online and unprotected by passwords. While the hackers managed to tamper with display readings in some instances, they did not alter the actual fuel levels in the tanks. Despite the lack of immediate physical damage, private experts and US officials warn that gaining access to these systems could theoretically allow a hacker to mask a gas leak, preventing detection and posing a serious risk to public safety.

Sources briefed on the case cited Iran’s history of targeting gas tank systems as a primary reason for suspecting Tehran. However, they cautioned that definitive attribution remains difficult due to a lack of forensic evidence left by the perpetrators. The FBI declined to comment on the matter, while CNN has requested comment from the US Cybersecurity and Infrastructure Security Agency (CISA).

If Iran’s involvement is confirmed, this incident marks the latest attempt by Tehran to threaten critical infrastructure on US soil, an area largely out of reach for Iranian drones and missiles. The situation presents a politically sensitive challenge for the Trump administration, particularly as it coincides with higher gas prices exacerbated by the conflict. A recent CNN poll revealed that 75% of US adults believe the war has negatively impacted their finances, making any disruption to fuel supplies particularly provocative.

The campaign highlights broader struggles among US critical infrastructure operators to secure their systems despite years of federal warnings. Iranian hacking groups have historically targeted "low-hanging fruit," such as internet-facing systems interacting with oil, gas, and water utilities. This pattern mirrors attacks following the October 7, 2023, Hamas assault on Israel, where US officials blamed IRGC-affiliated hackers for attacking US water utilities with anti-Israel messages.

Cybersecurity researchers have warned about the vulnerabilities of internet-facing ATGs for over a decade. In 2015, security firm Trend Micro deployed mock ATG systems to observe potential attackers, noting a quick response from pro-Iran groups. A 2021 Sky News report cited internal documents from the Islamic Revolutionary Guard Corps that specifically identified ATGs as targets for disruptive cyberattacks.

US intelligence agencies have long viewed Iran’s cyber capabilities as inferior to those of China or Russia. However, recent opportunistic hacks during the war suggest Tehran is a capable and unpredictable adversary. Since the conflict began in late February, Iran-linked hackers have disrupted oil and gas sites, caused shipping delays at medical device maker Stryker, and leaked private emails from FBI Director Kash Patel. Israeli organizations and citizens have also faced heavy targeting.

Yossi Karadi, head of Israel’s National Cyber Directorate, noted a significant increase in the scale and speed of Iran’s cyber operations, integrating them with psychological campaigns. While the Israel Defense Forces claimed to have struck a cyber warfare compound in March, Karadi cited recent degradation in hostile activity, suggesting Iranian actors are under pressure but still seeking openings.

Allison Wikoff, a threat intelligence director at PwC, described Iran’s operations as accelerating, featuring faster iteration and likely AI-driven scaling. She highlighted the swift creation of malware and assertive hack-and-leak campaigns as notable new tactics. Part of this strategy involves capitalizing on media reactions, with hacktivist groups using Telegram to exaggerate exploits and release promotional content.

One group, calling itself Handala, claimed to have breached the FBI’s systems but accessed only years-old Gmail emails. Alex Orleans of Sublime Security noted that the panic generated by such claims demonstrates a gap in how government and vendors articulate the threat. Orleans pointed out that Iran may lack the access for sustained effects and that the regime’s desire to endure disincentivizes wanton destruction.

Midterm Elections and Future Threats

The aggressive nature of these operations takes on added significance ahead of midterm elections. Unlike in 2020 and 2024, military and intelligence officials have not yet activated specialized teams to detect foreign election threats, a move criticized by former officials as strategic malpractice. Chris Krebs, former CISA director, predicts Iran will focus on information operations rather than direct system attacks, citing the ease and low cost of scaling such efforts with AI without facing immediate consequences.