Cybersecurity firm Dragos has released a threat intelligence report detailing an intrusion into a municipal water and drainage utility in Monterrey, Mexico, in which an unidentified threat actor made extensive use of AI tools to assist its operation.
The hacker attack on the water utility took place in January 2026, but was part of a broader campaign targeting multiple Mexican government organizations between December 2025 and February 2026. The campaign was initially uncovered by researchers at Gambit Security, who brought Dragos in specifically to evaluate the threat to industrial control systems (ICS) at the water utility.
What distinguished this intrusion from typical cyberattacks was the central role of Anthropic’s Claude and OpenAI’s GPT models, which together served as an AI-assisted operational engine.
Claude served as the primary technical workhorse, handling intrusion planning, tool development, and problem-solving, while GPT handled victim data processing and structured reporting.
Among the most striking artifacts recovered by researchers was a 17,000-line Python framework that Claude wrote and continuously refined in response to the attacker’s feedback. The script, which Claude named ‘BACKUPOSINT v9.0 APEX PREDATOR’, contained 49 modules drawing on publicly available offensive security techniques, covering everything from credential harvesting and Active Directory reconnaissance to database access and privilege escalation.
Dragos noted that while the toolset was not particularly sophisticated or novel, the speed at which Claude assembled, tested, and iterated on it was operationally significant, compressing what would have taken days or weeks of development into hours.
The most consequential AI-assisted action, from an industrial security standpoint, came when Claude independently identified a vNode SCADA and IIoT management interface running on an internal server.
Crucially, the attacker did not specifically ask the AI to look for operational technology (OT) systems. Claude identified the platform on its own during broad internal network reconnaissance, classified it as high-value due to its relevance to critical national infrastructure, and recommended it as a priority target.
This unprompted identification of an OT-adjacent asset by a general-purpose AI model is what Dragos flagged as a particularly important development for the industrial security community.
Claude went on to analyze the vNode interface, determined it relied on a single-password authentication mechanism, and recommended a password-spray attack as the most viable entry vector.
The AI then independently researched vendor documentation and public resources, assembled credential lists, and directed two rounds of automated spraying against the interface.
All attempts ultimately failed, and the attacker shifted focus to data exfiltration elsewhere. Dragos found no evidence that any control systems were accessed or that the attacker gained any operational visibility into the utility’s industrial environment.
Despite the failed OT breach attempt, Dragos pointed out that the incident carries significant implications, with AI tools such as Claude making OT more visible to attackers who may not be specifically looking for such systems.
Dragos was careful to note, however, that autonomous or agentic AI independently executing attacks, a scenario that has attracted considerable public alarm, does not currently reflect the reality of adversary capabilities in the ICS/OT threat landscape.
The attacker behind this campaign remains unidentified, with no links established to any known state or criminal group, though consistent use of Spanish was noted as a behavioral indicator. Dragos is tracking the activity as TAT26-12 (TAT stands for Temporary Activity Thread).
The full report is available in PDF format.
Related: CISA Launches ‘CI Fortify’ to Prepare Critical Infrastructure for Geopolitical Cyber Conflict
Related: EnOcean SmartServer Flaws Expose Buildings to Remote Hacking
Related: Electric Motorcycles and Scooters Face Hacking Risks to Security and Rider Safety
