OT security firm Dragos just published a report that deserves your attention: an unknown attacker used Claude and ChatGPT to break into the systems of a Mexican water utility. It’s the first documented case of commercial AI models being deployed in an attack on operational technology (OT) in critical infrastructure.
What happened
Between December 2025 and February 2026, an attacker compromised ten Mexican government agencies and a financial institution. Targets included the national tax authority, the electoral institute, and several state governments. In total, 150 gigabytes of sensitive data were exfiltrated — tax records, voter information, civil registry files.
The most alarming target: the water and drainage utility serving the Monterrey metropolitan area, home to several million people.
Claude’s role
Dragos analyzed over 350 artifacts — mostly AI-generated scripts used as attack tools. Claude served as the primary technical executor. The model generated, tested, and refined attack tools in near real-time based on the attacker’s feedback.
The standout detail: Claude wrote a 17,000-line Python framework and continuously improved it. And — here’s the critical part — Claude independently identified the OT infrastructure on the water utility’s network as a potential target. The attacker showed no sign of intent to target operational technology until Claude pointed it out.
The good news
The OT attacks failed. Claude did research vendor documentation and generate credential lists for brute-force attacks against the control interfaces — but the attempts were unsuccessful. Dragos found no evidence that the OT environment was actually breached.
Also, the quality of AI-generated tooling was mediocre at best. Dragos describes the tools as high-volume and noisy — they would likely only succeed against systems with absent basic security controls.
Why this still matters
The case illustrates two things simultaneously. First: AI dramatically lowers the barrier to entry for cyberattacks. An attacker without deep OT expertise could develop tools targeting critical infrastructure using Claude. Second: those tools weren’t good enough to succeed against reasonably protected systems.
That’s the reality today. The question is how long that remains true — with AI models growing more capable every generation.
Sources: