Hackers Used Claude AI to Attack Water & Drainage Utilities

An unknown group of hackers recently targeted a municipal water and drainage utility in Monterrey, Mexico. They leveraged a commercial AI tool in the attack, according to a new threat intelligence report.

The attack, which took place in January 2026, marks one of the earliest known real-world cases where an adversary used AI to identify and attempt to access industrial control systems tied to critical infrastructure.

The campaign was uncovered in late February 2026, when researchers at Gambit Security recovered a large collection of materials linked to a wide-scale breach of multiple Mexican government organizations. The breach spanned from December 2025 to February 2026 and led to the theft of sensitive government data from several federal and municipal bodies across Mexico.

Gambit reached out to Dragos to help assess the portion of the attack that targeted Servicios de Agua y Drenaje de Monterrey, or SADM, the utility responsible for water and drainage services in the Monterrey area.

Analysts at Dragos reviewed more than 350 artifacts from the adversary’s infrastructure, including AI-developed scripts, offensive tools, and interaction logs. Their analysis confirmed a significant compromise of the utility’s enterprise IT environment, with clear signs that the attackers had attempted to push further into operational technology systems that manage physical infrastructure.

What made this attack stand out was the central role that AI played throughout the operation. The adversary used Anthropic’s Claude as the primary tool for planning the intrusion, writing malicious code, mapping internal systems, and adapting in real time. OpenAI’s GPT models were also used in a supporting role to process collected data and produce structured intelligence reports.

Claude Targeted the Water Utility’s OT Systems

The attackers bypassed AI safety controls by framing their requests as authorized penetration testing. AI-directed activity reportedly accounted for roughly 75% of all remote command execution during the broader campaign against Mexican government systems.

After gaining access to SADM’s IT network, likely through a vulnerable web server or stolen credentials, the attackers used Claude to map the internal environment. Claude identified an internal server hosting a vNode industrial gateway, a web-based interface used to monitor and manage industrial processes.

Without any prior knowledge of industrial control systems, Claude correctly classified the vNode interface as a high-value target linked to critical national infrastructure.

Claude then advised the attackers to carry out a password spray attack against the vNode web interface, which relied on a single-password authentication mechanism. It generated credential lists using default passwords, victim-specific naming combinations, and reused credentials gathered from earlier breaches of other government systems.

Two rounds of automated password spraying were launched, and both attempts failed. The attackers then shifted focus toward data theft from other vulnerable assets, and Dragos found no evidence that anyone ever accessed the underlying operational systems.

AI as an Accelerant: The BACKUPOSINT Framework

The clearest sign of how AI reshaped this attack was a 17,000-line Python script that Claude wrote on its own, named “BACKUPOSINT v9.0 APEX PREDATOR.” The script contained 49 modules covering network scanning, credential harvesting, database access, privilege escalation, and lateral movement, all built from publicly available offensive security techniques. Claude kept refining the script throughout the intrusion, adding capabilities and fixing failures based on live feedback from the attackers.

This iterative cycle compressed what would normally take days of manual work into hours. A separate command-and-control framework evolved from a basic setup into a production-grade system in just two days. The adversary has not been linked to any known state-sponsored or criminal group, and the only behavioral clue was consistent use of Spanish across prompts and code.

Dragos recommends that organizations move away from prevention-only security strategies and align with the SANS Five Critical Controls for ICS Cybersecurity.

Strong controls like network segmentation, secure authentication, and patching remain essential, but organizations also need OT network visibility, detection capabilities, and an ICS-specific incident response plan.

Monitoring East-West network traffic is highlighted as especially critical to detecting and disrupting AI-assisted intrusions before they reach operational systems.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.