Key Takeaways
- Iranian‑aligned cyber actors are repeatedly exploiting poorly secured U.S. operational technology (OT) devices, such as gas‑station tank‑gauge systems that were left online with default or no passwords.
- Intrusions so far have mainly altered display information rather than causing physical damage, but the intent appears to be shifting toward disruption and psychological pressure.
- The attacks take advantage of uneven cybersecurity maturity across the nation’s distributed critical‑infrastructure footprint, highlighting the need for basic hygiene improvements.
- Defense‑in‑depth measures—changing factory defaults, segmenting OT networks, and adopting “secure‑by‑design” procurement—are urged as immediate priorities.
- Iran often pairs limited technical successes with influence operations, exaggerating impact to sow fear and undermine public confidence.
- U.S. agencies, including CISA, have repeatedly warned that Iran‑linked groups continue to scan for and compromise internet‑facing industrial control systems (ICS).
- Parallel threats, such as Microsoft’s takedown of the Fox Tempest malware‑signing‑as‑a‑service platform, illustrate the broader ecosystem in which Iranian actors operate.
Overview of the FDD Findings
A policy analysis released by the Foundation for Defense of Democracies (FDD) warns that Iranian‑aligned cyber actors are increasingly targeting weakly secured U.S. critical‑infrastructure systems. The report notes that attackers have already gained access to operational‑technology (OT) environments in multiple states, exploiting gaps in basic cyber hygiene such as missing or default passwords on internet‑facing devices. While the observed incidents have so far produced limited operational impact, the analysis stresses that the pattern reflects a deliberate effort to probe and potentially disrupt essential services.
Gas‑Station Tank‑Gauge Compromises
One concrete example highlighted in the FDD brief involves tank‑gauge systems at gasoline stations across several U.S. states. These devices, which monitor fuel levels in underground tanks, were left exposed on the public internet with either factory‑default credentials or no password protection at all. Intruders were able to log in and manipulate the display readouts, showing false fuel levels or alarm statuses without actually altering the quantity of fuel stored.
Impact on Display Information Only
Although the attackers succeeded in changing what station operators saw on their screens, they did not affect the underlying fuel quantities or cause any physical spillage or overflow. The manipulation could, however, blind operators to real problems such as leaks, over‑filling, or empty tanks, potentially leading to safety hazards or financial losses if left unchecked. The FDD authors emphasize that even this limited interference can erode trust in the reliability of essential services.
Broader Pattern of ICS Probing
The tank‑gauge intrusions are part of a wider trend in which Iran‑linked groups scan for and attempt to compromise publicly accessible industrial control systems (ICS). The report points out that many of these systems suffer from weak authentication mechanisms, insufficient network segmentation, and outdated firmware—conditions that make them attractive low‑hanging fruit for adversaries seeking to demonstrate capability without needing sophisticated exploits.
Shifting Intent Toward Disruption
While many of the observed actions have resulted in only superficial effects, U.S. officials caution that the strategic goal is evolving. Iranian actors appear to be moving from simple reconnaissance and nuisance‑level tampering toward attempts that could cause operational disruption or generate psychological pressure on populations that rely on uninterrupted energy, water, and other essential services. The aim is to create uncertainty and fear, even if the technical impact remains modest.
Recommendations for Strengthening Defenses
To counter this threat, the FDD analysis urges owners and operators of critical infrastructure to prioritize basic cybersecurity hygiene at the device level. Specific actions include changing factory‑default passwords before deployment, enforcing strong, unique credentials for all OT devices, and disabling unnecessary remote‑access services. Additionally, the report advocates for broader adoption of the U.S. government’s “Secure by Design” initiative, which would require manufacturers to build security into products from the outset—such as mandating password changes during initial setup and providing clear guidance on network segmentation.
Coupling Cyber Attacks with Influence Operations
The analysis notes that Iran frequently couples its modest cyber successes with propaganda campaigns designed to amplify perceived impact. Groups linked to the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security often operate through hacktivist front organisations, claiming responsibility for attacks and releasing screenshots or statements that exaggerate the consequences. This dual approach seeks to sow panic, undermine confidence in government and industry, and achieve strategic effects far beyond the actual technical damage.
Examples of Overstated Claims and Notable Targets
Several recent incidents illustrate this pattern. In April, a group calling itself Ababil of Minab claimed to have compromised the Los Angeles transit authority’s internal systems, threatening to hold them hostage; the agency confirmed only partial access with no service disruption. Similarly, the APTIRAN group—believed to be tied to the IRGC—posted screenshots alleging successful intrusion into gas‑station tank‑gauge systems in Pennsylvania, though neither the affected companies nor law enforcement verified any real effect. The report also references Iran’s attempts to target high‑profile figures such as FBI Director Kash Patel and the medical‑technology firm Stryker, underscoring the regime’s willingness to pursue both low‑level and high‑visibility targets.
Government Warnings and Vendor Cooperation
U.S. agencies, particularly the Cybersecurity and Infrastructure Security Agency (CISA), have issued repeated alerts that Iran‑linked actors actively scan for and exploit vulnerabilities in internet‑facing programmable logic controllers (PLCs) and supervisory control and data‑acquisition (SCADA) systems across critical sectors. CISA urges owners to apply patches, disable unnecessary services, and monitor for anomalous traffic. The FDD brief reinforces the call for federal‑private collaboration, urging the government to work with manufacturers through secure‑by‑design programs to ensure that new OT devices ship with security enabled by default.
Related Cyber‑Threat Landscape: Microsoft’s Fox Tempest Takedown
While the primary focus of the FDD report is Iran’s infrastructure probing, the broader threat environment includes financially motivated cybercrime operations that can enable or amplify state‑linked activity. Microsoft recently disclosed the disruption of Fox Tempest, a malware‑signing‑as‑a‑service (MSaaS) platform active since May 2025 that allowed ransomware gangs and other threat actors to sign malicious code with legitimate‑looking certificates. The service facilitated the distribution of families such as Oyster, Lumma Stealer, Vidar, INC, Qilin, and Akira, illustrating how criminal ecosystems can intersect with geopolitical threats and increase the overall risk to critical infrastructure.
Conclusion
The FDD analysis makes clear that Iranian‑aligned cyber actors are capitalizing on basic security lapses across America’s dispersed critical‑infrastructure landscape. Although their current capabilities appear limited compared with those of Chinese or Russian counterparts, the strategic intent—to cause disruption, spread fear, and leverage influence operations—demands immediate remedial action. By enforcing strong password policies, segmenting OT networks, demanding security‑by‑design from vendors, and maintaining vigilant monitoring, U.S. critical‑infrastructure owners can significantly raise the cost for attackers and reduce the likelihood of successful intrusion.