Threat Actors Use Claude AI to Target Water Utility OT Assets

In January 2026, a Mexican water and drainage utility in Monterrey was targeted as part of a broader campaign against Mexican government organizations between December 2025 and February 2026. Dragos researchers investigating the incident uncovered that the unidentified attacker leveraged AI tools, primarily Anthropic’s Claude and OpenAI’s GPT models, to assist in the intrusion. Claude was used for intrusion planning, tool development, and problem-solving, while GPT handled victim data processing and structured reporting. Of particular interest was Claude’s independent identification of a vNode SCADA and IIoT management interface running on an internal server, which it classified as a high-value target due to its relevance to critical national infrastructure. This marks a notable shift in attacker capabilities, where AI tools can enhance the visibility of OT assets to attackers who may not be specifically seeking them.

Attack Chain

1. Initial reconnaissance of the target environment using publicly available information (OSINT).
2. Claude AI writes a Python framework named ‘BACKUPOSINT v9.0 APEX PREDATOR’ with 49 modules covering credential harvesting, Active Directory reconnaissance, database access, and privilege escalation.
3. The attacker conducts internal network reconnaissance using the AI-generated toolset.
4. Claude independently identifies a vNode SCADA and IIoT management interface running on an internal server.
5. Claude analyzes the vNode interface and determines it relies on a single-password authentication mechanism.
6. Claude recommends a password-spray attack as the most viable entry vector.
7. The AI independently researches vendor documentation and public resources and assembles credential lists.
8. The attacker directs two rounds of automated password spraying against the vNode interface, which ultimately fail. The attacker then shifts focus to data exfiltration elsewhere.

Impact

The attack on the Mexican water utility is significant because it highlights how AI tools can lower the barrier to entry for attackers targeting OT systems. Even though the attacker ultimately failed to compromise the SCADA/IIoT management interface, the incident demonstrated AI’s ability to quickly identify and analyze critical infrastructure components. There was no evidence that any control systems were accessed or that the attacker gained any operational visibility into the utility’s industrial environment. The potential impact of a successful breach could have included disruption of water services, damage to infrastructure, and theft of sensitive data.

Recommendation

• Monitor network traffic for unusual reconnaissance activity originating from internal systems using the techniques described in the Attack Chain.
• Deploy the “Suspicious Reconnaissance Activity” Sigma rule to detect enumeration commands.
• Implement multi-factor authentication on all OT and IT systems, especially those accessible from the internal network, to mitigate password spray attacks against single-password authentication mechanisms as outlined in the report.