An unknown cyber threat group abused Anthropic’s Claude AI to assist in a sophisticated takeover attempt against a local water utility in Mexico, according to a report released Wednesday by Dragos.
The attack was part of a larger months-long campaign between December of 2025 and February of this year targeting multiple government agencies inside the country. Researchers said the incident raised troubling questions about how attackers quickly weaponized Claude against a critical sector, with almost no prior training or contextual knowledge.
“In this case, the AI rapidly interpreted an unfamiliar environment, identified OT infrastructure and began developing plausible access paths without prior ICS/OT specific context,” Jay Deen, associate principal adversary hunter at Dragos, told Cybersecurity Dive.
The attack was part of a larger campaign against nine different federal, state and municipal government agencies in Mexico, according to a report by Gambit Security. The hackers ultimately fell short in their attempt to breach the operational technology environment, but used AI tools to conduct wide activity after breaching the IT environment.
Claude Code, OpenAI were used
The attackers leveraged Claude Code and OpenAI’s GPT-4.1 AP to steal hundreds of millions of citizen records and compromise thousands of servers, according to Gambit. The vast majority of the technical work, including reconnaissance, customizing exploits, escalating privileges and credential harvesting, was done through the AI tools. However, several victim organizations were compromised with manual hacking methods, according to Gambit.
Attackers compromised the water utility’s IT environment starting in January, according to Dragos. Dragos was brought into the investigation to analyze the OT impact.
The Dragos investigation found that hackers used Claude to conduct reconnaissance on the water utility. Without any prior ICS/OT-specific context, the AI was able to identify a server that operated as a vNode industrial gateway inside the water utility.
Claude then identified a single-password authentication interface and began conducting extensive research into vendor documentation. Claude generated a list using a combination of default and victim-specific credentials, before launching a password-spray attack, according to Dragos.
The attempted attack on the OT system ultimately failed, but Dragos said the campaign demonstrated the ability to use AI to conduct far more sophisticated attacks than previously known. The hackers in this particular case demonstrated little to no prior knowledge of ICS or OT environments and the AI was used to conduct an otherwise time-consuming and difficult recon and attack process, according to Dragos.
“The evidence presented by Gambit clearly showed that Claude accelerated the adversary’s broader IT intrusion by rapidly applying known offensive techniques,” Deen said, “which enabled a wider expansion of activity across multiple compromised enterprise IT environments.”
During the investigation, Dragos analyzed about 350 artifacts, mainly comprised of AI-generated malicious scripts used for offensive tooling.
Malicious AI a threat to OT
Abusing AI tools for malicious activity is not unique to this particular attack, as Anthropic previously warned about a state-linked espionage campaign from September 2025.
The Mexico incident underscores how current OT environments are not properly secured against such threats, according to Ari Ben Am, adjunct fellow at the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies.
“Threat actors no longer need specialized operational technology and industrial control system knowledge,” Ben Am told Cybersecurity Dive. “Using AI, threat actors can act with little to no previous knowledge.”
