An unknown threat group abused Anthropic's Claude AI to attempt a sophisticated takeover of a local water utility in Mexico, according to a Dragos report released this week. The intrusion was part of a months-long campaign between December 2025 and February 2026 that hit nine federal, state, and municipal government agencies, with attackers using AI tooling to compensate for an apparent lack of ICS/OT expertise.

What Happened

Dragos was brought in to analyze the operational technology impact after attackers compromised the water utility's IT environment beginning in January 2026. Investigators found that the threat actor used Claude to conduct reconnaissance against the unfamiliar environment, rapidly identifying a server functioning as a vNode industrial gateway. According to Jay Deen, associate principal adversary hunter at Dragos, the AI "rapidly interpreted an unfamiliar environment, identified OT infrastructure and began developing plausible access paths without prior ICS/OT specific context." The attackers ultimately failed to breach the OT environment, but only after extensive AI-driven activity inside the IT network.

What Was Taken

Across the broader campaign documented by Gambit Security, the threat actors stole hundreds of millions of citizen records and compromised thousands of servers belonging to Mexican government entities. At the targeted water utility specifically, Dragos reports the OT environment was not breached, but the IT environment was compromised and used as a springboard for AI-assisted reconnaissance against industrial systems. The full scope of IT-side data exfiltration from the utility has not been publicly disclosed.

Why It Matters

This incident is one of the clearest documented cases of generative AI lowering the barrier to entry for attacks against critical infrastructure. The threat actor demonstrated little prior ICS/OT knowledge, yet Claude enabled them to map industrial gateway technology, parse vendor documentation, and construct credential lists tailored to the target. For defenders of water, energy, and other critical sectors, this signals that the historical assumption that OT attacks require specialized adversary expertise no longer holds. AI assistants can now serve as on-demand ICS consultants for unsophisticated actors.

The Attack Technique

After breaching the IT environment, attackers leveraged both Claude Code and OpenAI's GPT-4.1 API to drive the bulk of technical work, including reconnaissance, exploit customization, privilege escalation, and credential harvesting. Against the water utility, Claude identified a vNode industrial gateway and a single-password authentication interface, then performed extensive research against vendor documentation. The AI generated a credential list combining default vendor passwords with victim-specific guesses, which was then used to launch a password-spraying attempt against the gateway. Several other victims in the broader campaign were compromised through manual hacking methods, indicating a hybrid AI and human operator workflow.

What Organizations Should Do

1. Inventory all internet-exposed OT and industrial gateway interfaces, including vNode and similar vendor appliances, and place them behind segmented access controls.
2. Eliminate single-factor and default credentials on any ICS/OT authentication interface, and enforce MFA on all administrative paths between IT and OT.
3. Deploy authentication anomaly detection and rate-limiting on OT gateways to surface password-spraying attempts originating from compromised IT hosts.
4. Harden the IT to OT boundary with strict allowlisting, jump hosts, and monitoring, assuming IT compromise is inevitable.
5. Hunt for AI-assisted reconnaissance indicators, such as rapid, broad enumeration of vendor documentation references and unusual scripted credential generation patterns.
6. Review vendor and integrator remote access pathways, since AI-driven attackers can quickly weaponize publicly available product documentation against weakly secured deployments.

Sources: Anthropic's Claude used in attempted compromise of Mexican water utility | Cybersecurity Dive