Claude AI Guided Hackers Toward OT Assets During Water Utility Intrusion
Claude AI Guided Hackers Toward OT Assets During Water Utility Intrusion
Publish Date: 2026-05-07 03:35:00
Source Domain: www.securityweek.com
Cybersecurity firm Dragos has released a threat intelligence report detailing an intrusion into a municipal water and drainage utility in Monterrey, Mexico, in which an unidentified threat actor made extensive use of AI tools to assist its operation.
The hacker attack on the water utility took place in January 2026, but was part of a broader campaign targeting multiple Mexican government organizations between December 2025 and February 2026. The campaign was initially uncovered by researchers at Gambit Security, who brought Dragos in specifically to evaluate the threat to industrial control systems (ICS) at the water utility.
What distinguished this intrusion from typical cyberattacks was the central role of Anthropic’s Claude and OpenAI’s GPT models, which together served as an AI-assisted operational engine.
Claude served as the primary technical workhorse, handling intrusion planning, tool development, and problem-solving, while GPT handled victim data processing and structured reporting.
Among the most striking artifacts recovered by researchers was a 17,000-line Python framework that Claude wrote and continuously refined in response to the attacker’s feedback. The script, which Claude named ‘BACKUPOSINT v9.0 APEX PREDATOR’, contained 49 modules drawing on publicly available offensive security techniques, covering everything from credential harvesting and Active Directory reconnaissance to database access and privilege escalation.
Dragos noted that while the toolset was not particularly sophisticated or novel, the speed at which Claude assembled, tested, and iterated on it was operationally significant, compressing what would have taken days or weeks of development into hours.
The most consequential AI-assisted action, from an industrial security standpoint, came when Claude independently identified a vNode SCADA and IIoT management interface running on an internal server.
