Industrial cybersecurity firm Dragos revealed details of an AI-assisted intrusion targeting a municipal water and drainage utility serving the Monterrey metropolitan area in Mexico, after researchers from Gambit Security uncovered a broader campaign that compromised multiple Mexican government organizations between December 2025 and February 2026. According to the investigation, the unidentified adversary used commercial AI models from Anthropic and OpenAI to accelerate reconnaissance, intrusion planning, malware development, lateral movement, and data exfiltration, while attempting to pivot from the utility’s enterprise IT network toward OT (operational technology) infrastructure.
The analysis found that Anthropic’s Claude model served as the primary technical executor during the operation, autonomously identifying OT-adjacent infrastructure after discovering a server hosting a vNode industrial gateway and a SCADA (Supervisory Control and Data Acquisition)/IIoT (Industrial Internet of Things) management platform within the utility’s enterprise network.
Dragos identified that vNode is a SCADA/IIoT management interface for centralized, web-based monitoring and control of industrial processes, serving as a data integration layer between OT systems and enterprise IT environments. “Without prior ICS/OT-specific context, Claude classified the vNode interface as a high-value target, citing its relevance to Critical National Infrastructure (CNI), and prioritized it as a potential pathway into an operational environment.”
It noted that the presence of a vNode interface alone does not indicate direct access to an OT environment. Common vNode deployment use cases feature a ‘store & forward’ architecture, in which an OT-resident interface communicates through a segmented DMZ to a separate IT-accessible interface. However, Claude correctly recognized the platform as OT-adjacent infrastructure and assessed it as a strategically significant target based on its potential proximity to an operational environment associated with water and drainage utility’s control systems.
Dragos said the AI system correctly assessed the platform as strategically significant critical infrastructure despite having no prior OT-specific context, then researched vendor documentation, generated credential lists combining default and victim-specific passwords, and launched an automated password-spraying campaign against the interface. Investigators said the attempts ultimately failed and found no evidence that the attackers successfully breached the OT environment.
It added that the incident demonstrates how commercial AI tools are lowering the barrier to OT targeting by rapidly operationalizing publicly available offensive techniques rather than introducing novel industrial malware or specialized ICS tradecraft.
Researchers observed that the adversary relied on familiar weaknesses such as credential abuse, exposed IT-to-OT pathways and weak authentication controls, but used AI to compress what would normally take days or weeks of tooling development and environment mapping into hours. The company warned that prevention-only security strategies are becoming increasingly insufficient as AI accelerates reconnaissance and attack preparation, arguing that industrial organizations need stronger OT visibility, detection and response capabilities alongside foundational controls such as segmentation, secure remote access and strong authentication.
“In late February 2026, researchers at Gambit Security recovered a vast collection of materials related to a large-scale compromise of multiple Mexican government organizations between December 2025 and February 2026 and identified substantial evidence that an unknown adversary had leveraged Anthropic’s Claude and OpenAI’s GPT AI models to carry out core intrusion activities,” Jay Deen, associate principal adversary hunter at Dragos, detailed in a Wednesday blog post.
Dragos assisted Gambit’s investigation, specifically focusing on an intrusion against a municipal water and drainage utility, and identified that a significant compromise of the utility’s enterprise IT environment had escalated into an attempt to breach an OT environment.
Deen identified that evidence showed that Claude acted as the primary technical executor and independently identified the OT environment’s relevance to critical infrastructure, assessed its potential as a crown jewel asset, and investigated possible access pathways to breach the IT-OT boundary.
“This investigation showed how commercial AI tools assisted an adversary with no prior objective in OT targeting to identify an OT environment and develop and refine a viable access pathway to OT infrastructure,” according to Deen. “These findings demonstrate how the adoption of commercial AI tools as an intrusion aid has made OT more visible to adversaries already operating within IT.”
He added that as adversaries continue to integrate AI tools into their operations, the implications for defenders are twofold. First, organizations failing to implement basic security controls remain at heightened risk because AI can rapidly operationalize known offensive security techniques against exposed systems, such as exploiting weak authentication and default credentials to gain access. Second, as AI models continue to improve, prevention-only OT security strategies will become less effective.
The analysis underscores that the risk is less about breakthrough AI capability and more about lowering the barrier to entry, as attackers can exploit common weaknesses such as remote access exposure and poor segmentation between IT and OT networks to move toward operational disruption, reinforcing that water utilities remain vulnerable due to legacy systems, distributed infrastructure and persistent gaps in fundamental cybersecurity controls.
Gambit’s investigation of adversary infrastructure linked to the campaign found the intrusion resulted in the theft of substantial volumes of sensitive government data and civilian records from Mexico’s Federal Tax Authority, National Electoral Institute, City Civil Registry, and multiple state and municipal entities across Jalisco, Tamaulipas, the State of Mexico, Monterrey, and Michoacán.
Gambit identified substantial evidence of AI-developed malicious scripts, offensive tooling, operational output, and AI interaction logs, demonstrating that the adversary leveraged Anthropic’s Claude and OpenAI’s GPT to support core operations throughout the campaign after bypassing safety controls and guardrails by framing prompts as authorized penetration testing.
AI interaction logs showed commercial AI tools were used across multiple intrusion stages, including reconnaissance, weaponization, internal enumeration, and lateral movement, to establish persistent access within government enterprise IT networks. AI-directed activity accounts for approximately 75% of remote command execution and materially enabled the large-scale exfiltration of government data.
During late February, Gambit contacted Dragos to assist in the analysis of an intrusion affecting Servicios de Agua y Drenaje de Monterrey (SADM), a municipal water and drainage utility serving the Monterrey metropolitan area. Dragos’s analysis of recovered intrusion materials confirmed a significant compromise of the utility’s enterprise IT environment in January 2026.
Dragos analyzed more than 350 artifacts, predominantly AI-developed malicious scripts and tooling, which provided detailed insight into how the adversary operationalized a synthesized AI approach using two commercial AI tools. Anthropic’s Claude primarily handled prompt-and-response interaction, intrusion planning, development, deployment, and iterative refinement of malicious tooling. OpenAI’s GPT models were assigned analytical roles to process collected victim data and generate structured output.
Together, the two models functioned as a coordinated, AI-assisted operational capability across the reconnaissance, enumeration, exploitation, lateral movement, and exfiltration stages, with Claude serving as the primary technical executor, generating, testing, and refining tooling code in near real time based on operational feedback.
Dragos assessed that the framework’s extensive collection of offensive security capabilities could achieve their intended objectives during an intrusion. Yet, its operational use would likely generate high-volume, noisy workflows in which only a subset of functions would succeed when exposed assets or weak security controls were present.
“After initially compromising the Monterrey Water and Drainage Utility’s enterprise IT environment, likely via a vulnerable web server or stolen credentials, the adversary maintained established access to the victim’s internal network using multiple proxied tunnels,” Dragos reported. “With this foothold, the adversary tasked Claude with mapping and analyzing the internal environment. Claude conducted broad-ranging discovery and enumeration activities, identifying an internal server hosting a vNode industrial gateway platform.”
Dragos detailed that Claude subsequently analyzed the vNode server and identified a single-page application (SPA) web interface using a single-password authentication mechanism, which it assessed as a potential attack vector.
“Claude’s response advised the adversary to pursue a password-spray attack against the interface, which the adversary prompted Claude to continue,” Dragos reported. “Claude then researched vendor documentation and public security articles, and generated credential lists that combined default credentials, victim and environment-specific naming credential combinations, and reused credentials harvested during the broader intrusion into other government systems.”
It added that when Claude directed two rounds of automated password spraying against the vNode web application.” All attempts were unsuccessful, and the adversary redirected attention toward data exfiltration from other vulnerable enterprise assets. Dragos observed no evidence of further activity against the vNode interface or that the adversary gained visibility into any underlying OT environment during the intrusion.”
In conclusion, Dragos said it observed a real-world operational use of commercial AI that materially assisted an adversary in progressing from enterprise IT compromise toward OT targeting within a critical infrastructure environment. “In this intrusion, AI supported rapid environmental analysis, identification of an OT-adjacent environment, development and refinement of intrusion tooling, and generation of a viable access path towards the IT-OT boundary using known techniques and publicly available tradecraft. This intrusion demonstrates that the adversary’s use of AI did not introduce novel offensive tradecraft or new ICS-specific capabilities. Its significance was in materially reducing the time, technical effort, and prerequisite expertise required to process intelligence and identify OT-relevant assets.”
For the ICS/OT community, Dragos identified that the implications are twofold. First, organizations failing to implement basic security controls remain at heightened risk because AI can rapidly operationalize known techniques against exposed systems, weak authentication, and default or reused credentials. Second, as AI models continue to improve, prevention-only OT security strategies will become less effective.
Firewalls, segmentation, password changes, and patching remain necessary, but organizations also need OT network visibility, detection, and response capabilities to identify adversary activity when preventive controls fail.
Dragos recommended that organizations adopt the SANS Five Critical Controls for ICS Cybersecurity to strengthen OT defenses through a balanced approach spanning prevention, detection and response. The company warned that AI-assisted intrusions can rapidly identify OT access paths and exploit perimeter weaknesses following IT compromises, making strong detection capabilities, East-West traffic monitoring, secure architecture, strong authentication and ICS-specific incident response planning increasingly critical.
Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), alongside the Australian Cyber Security Centre and other international partners, published new guidance on the secure adoption of agentic artificial intelligence (agentic AI), outlining cybersecurity risks tied to deploying these systems. The document comes as critical infrastructure and defense sectors increasingly adopt agentic AI to support mission-critical operations and drive automation. As agentic AI systems play a growing operational role, defenders must implement security controls to protect national security and critical infrastructure from agentic AI-specific risks.
