U.S. officials are investigating a series of cyber intrusions into fuel tank monitoring systems across several U.S. states, equipment used at gas stations to measure fuel levels, issue leak alerts, and monitor the status of storage tanks. According to CNN’s exclusive report, the Islamic Republic is one of the main suspects in these attacks, although no conclusive evidence has yet been published to formally attribute the attacks to Tehran. That caution is the correct starting point for understanding the case: this file has not yet been “proven,” but in terms of pattern, timing, and target type, it shows significant consistency with the record of cyber operations carried out by actors affiliated with the Islamic Republic.

The target of the attack was a set of systems known as Automatic Tank Gauges, or ATGs. These systems are installed in underground fuel tanks at gas stations and provide operators with information such as the amount of fuel stored, the status of the tank, and alerts related to leaks or operational faults. Sources familiar with the matter told CNN that some of these systems had no password and were connected directly to the internet. In some cases, the attackers were able to alter the data displayed about fuel levels, but so far there has been no report of actual fuel manipulation or physical damage.

From a technical perspective, if confirmed, this attack is less a sign of a highly sophisticated operation than evidence of a chronic weakness in operational technology security. ATGs are designed to monitor tanks, record operational data, and send safety alerts, not to sit defenseless on the public internet. Rapid7 had warned about this exact risk as early as 2015, writing that remote access to an ATG control port could allow an attacker to change alert thresholds, reset the system, or disrupt the operation of a fuel tank. The same report warned that, in a worst case scenario, thousands of gas stations in the United States could be exposed to disruption with minimal effort.

This is where the significance of the case lies. If the display of a fuel tank shows the wrong number, the station operator no longer knows whether the tank is actually empty, full, or whether the data has been manipulated. This does not necessarily mean an explosion, fire, or physical destruction, but in operational infrastructure, trust in data is part of the infrastructure itself. When data is no longer reliable, leak alerts, fuel supply planning, fuel truck dispatching, and safety decisions are also called into question. The effect of such an attack may therefore be less about heavy technical damage and more about operational mistrust, local disruption, and psychological pressure.

Until forensic data is published, it should not be stated with certainty that this attack was carried out by the Islamic Republic. Neither the U.S. government nor agencies such as CISA have published publicly reviewable technical details, and even the existing accounts emphasize the absence of conclusive evidence. However, the absence of definitive proof does not mean the absence of a credible hypothesis. In cyber attribution analysis, especially in wartime conditions, the pattern of targeting, operational history, type of infrastructure targeted, and political messaging of the operation are all examined alongside technical data.

In this case, one serious hypothesis is the possible connection of the attack to networks affiliated with the IRGC Cyber Electronic Command, or IRGC-CEC. In February 2024, the U.S. Treasury Department sanctioned six officials of this command for malicious cyber activity against critical infrastructure in the United States and other countries, stating that the command was responsible for a series of cyber operations against sensitive infrastructure. The same statement referred to operations against Unitronics industrial controllers, operations in which IRGC affiliated actors displayed their own imagery on the screens of industrial controllers.

The key name in this context is CyberAv3ngers. MITRE has registered this group under the identifier G1027 and describes it as a group suspected of being affiliated with the IRGC that has been active since at least 2020. In 2023, CyberAv3ngers conducted a global campaign against Unitronics controllers equipped with HMI interfaces, equipment used in sectors such as water and wastewater, energy, food production, and healthcare. MITRE has also recorded the techniques used in this campaign as including the use of internet connected devices and the abuse of insecure or default credentials.

Microsoft also tracks CyberAv3ngers and the related group Soldiers of Solomon under the name Storm 0784. In a May 2024 report, Microsoft wrote that since late 2023 it had observed an increase in attacks against internet exposed and poorly protected OT equipment, and attributed the November 2023 attack on the Aliquippa water facility in Pennsylvania to the IRGC affiliated CyberAv3ngers. In that case, a pressure regulation pump in the municipal water network stopped functioning, and the device’s control panel was altered with a CyberAv3ngers message. Microsoft emphasized that the shared pattern in these attacks was the selection of internet exposed OT equipment, weak or default passwords, and insecure configuration.

This similarity is what makes the attack on gas station ATGs, if CNN’s report is accurate, appear to fall along the same pattern. Such an attack does not require deep penetration of complex military or energy networks. An attacker can search the internet, find poorly protected devices, enter the management interface, and change the displayed data. From this perspective, the possible attack on fuel tanks is not an advanced operation at the level of infrastructure destruction, but rather an example of the political exploitation of security negligence.

In institutional analysis, two sets of actors within the Islamic Republic may be relevant in cases like this: the Ministry of Intelligence and structures affiliated with the IRGC. Groups linked to the Ministry of Intelligence, such as MuddyWater or APT34 and some clusters close to them, are generally better known for targeted espionage, persistent access, and operations against governmental, diplomatic, or regional targets. By contrast, campaigns such as CyberAv3ngers and groups such as Charming Kitten or OilRig are closer to performative operations, disruption of industrial equipment, and the production of political messaging through poorly defended infrastructure. For this reason, although definitive attribution is not possible, the hypothesis of a connection to IRGC CEC and units such as networks attributed to Shahid Kaveh appears more serious in terms of behavioral pattern.

The political context is also important. The attack occurred in the context of the ongoing war among the United States, Israel, and the Islamic Republic, which has accelerated the cyber activity of actors affiliated with the IRGC. These include attacks linked to U.S. oil, gas, and water infrastructure, disruption in the supply chain of the medical equipment company Stryker, and the leak of private emails belonging to Kash Patel, the director of the FBI. In such an environment, an attack on fuel systems, even if it causes limited direct damage, can have significant propaganda and psychological value for the attacker.

The cautious conclusion is this: it still cannot be said that the attack on ATGs at U.S. gas stations was definitely carried out by the Islamic Republic. Public technical data is not sufficient for such a judgment. But if this case is placed alongside previous CyberAv3ngers attacks, the pattern of targeting OT equipment, known ATG weaknesses, and the current wartime conditions, the hypothesis of involvement by networks affiliated with the IRGC Cyber Electronic Command is credible and worth examining. In cyberwarfare, the starting point of an attack is not always a data center or a military network. Sometimes a forgotten, passwordless, internet connected device in the corner of a gas station is enough to turn a technical weakness into a political message.