Iranian-aligned cyber actors are increasingly targeting weakly secured U.S. critical infrastructure systems, exploiting gaps in basic cyber hygiene and exposed industrial environments, according to a policy analysis published by the Foundation for Defense of Democracies (FDD). The report highlights that attackers have already accessed OT (operational technology) infrastructure in multiple states, including gas station tank gauge systems that were exposed online with default or no passwords, allowing intruders to manipulate display data without altering actual fuel levels. The activity reflects a broader pattern in which Iran-linked groups probe publicly accessible ICS (industrial control systems), especially where authentication and segmentation are weak, creating opportunities for disruption rather than outright destruction.
The FDD analysis warns that these intrusions are part of a sustained campaign against sectors such as energy, water, and other essential services, with U.S. agencies repeatedly flagging Iran-aligned efforts to exploit internet-facing programmable logic controllers and supervisory control systems. While many of the observed incidents have so far resulted in limited operational impact, officials caution that the intent is shifting toward disruption and psychological pressure, particularly in environments where security controls are minimal or outdated.
The report argues that strengthening defenses at the device and configuration level is now critical, as adversaries continue to exploit uneven cybersecurity maturity across America’s distributed infrastructure footprint.
“The hackers breached tank gauge systems at gas stations in multiple U.S. states. The systems, used to monitor fuel levels, were exposed online with either default passwords or no password protection at all,” Johanna Yang, CCTI policy analyst, and Ari Ben Am, CCTI Adjunct Fellow, wrote in a Wednesday FDD policy brief. “While the attackers did not affect the actual fuel levels, they interfered with display information, potentially blinding the station owners and operators to gas leaks or empty tanks.”
The authors mentioned that the Iranian threat actors have been ‘unable to pull off sophisticated operations like their Chinese or Russian counterparts,’ often fuse their cyber operations with influence operations for maximum societal impact. “This approach is persistent across Iran’s military and intelligence agencies, such as the IRGC and the Ministry of Intelligence and Security, both of which run operations via hacktivist front groups.”
Noting that while Iran likely aims to stoke fear, “Iranian threat actors can get lucky and hit large or high-profile targets, as demonstrated by their targeting of FBI Director Kash Patel and the attack against medical technology firm Stryker.”
They noted that the hacks are yet another example of attempts by Iran-aligned hacking groups to compromise U.S. critical infrastructure. “The Cybersecurity and Infrastructure Security Agency (CISA) has warned that Iran-linked hackers are actively exploiting vulnerabilities in industrial control systems across critical infrastructure in the United States. The hackers were able to cause disruptions and information manipulation through malicious activity with system files, resulting in operational delays and financial losses.”
Yang and Ben Am highlighted that Iran often oversells the impact of its attacks. “In April, for example, the suspected Iranian hacking group known as Ababil of Minab claimed responsibility for an attack on the Los Angeles transit authority. The group claimed to be holding internal systems at risk. While the transit authority confirmed that hackers gained partial access to its systems, the hack did not disrupt bus or light rail service.”
“The latest attack resembles previous efforts by hacking group APTIRAN to compromise gas stations in Pennsylvania. APTIRAN, likely affiliated with the Tehran regime’s Islamic Revolutionary Guard Corps (IRGC), claimed to have compromised the same tank gauge systems, posting screenshots alleging its successful data collection,” they observed. “Ultimately, neither the companies nor law enforcement publicly confirmed that anything had occurred.”
The FDD recognizes that the systems that Iran is exploiting either have default passwords or none at all. “Critical infrastructure owners and operators must install their products with better cybersecurity in mind. The U.S. government should work with critical infrastructure vendors through its Secure by Design initiative to ensure that technology is manufactured with security in mind, such as requiring the user to change the factory password before proceeding with installation.”
Clearly, amid Iran’s increasing cyber aggression against the U.S., essential service providers must make themselves much harder targets.
The FDD message comes as Microsoft disclosed disruption of a cybercrime operation known as Fox Tempest, a malware-signing-as-a-service (MSaaS) platform that enabled ransomware gangs and other threat actors to disguise malicious software as legitimate applications. Active since May 2025, the service was used to infect thousands of machines and compromise networks worldwide through fraudulent abuse of Microsoft’s code-signing infrastructure. Microsoft linked the operation to ransomware actors, including Vanilla Tempest, and malware families such as Oyster, Lumma Stealer, Vidar, INC, Qilin, and Akira.
