Dragos published a threat intelligence report on May 6 detailing how attackers weaponized Anthropic’s Claude and OpenAI’s GPT models during a cyber-attack against a municipal water and drainage utility in Monterrey, Mexico. The most significant finding: Claude autonomously identified industrial control systems as a high-value target without being directed to look for them, according to Dragos.
The intrusion took place in January 2026 as part of a broader campaign against multiple Mexican government organizations between December 2025 and February 2026, originally uncovered by Gambit Security. Dragos was brought in to evaluate the industrial control system (ICS) implications.
Two Models, One Attack Chain
Claude served as “the primary technical executor of the intrusion,” handling planning, tool development, and deployment of malicious scripts. OpenAI’s GPT models took analytical roles, processing stolen data and generating structured outputs in Spanish, according to Infosecurity Magazine.
Dragos analyzed over 350 artifacts from the campaign, most of them AI-generated attack scripts. The two models functioned as a coordinated system across reconnaissance, lateral movement, exploitation, and exfiltration, per the Dragos report.
A 17,000-Line Attack Framework Written in Hours
The most striking artifact was a 17,000-line Python script entirely written by Claude. The framework, which Claude named “BACKUPOSINT v9.0 APEX PREDATOR,” contained 49 modules covering credential harvesting, Active Directory interrogation, database access, privilege escalation, and lateral movement automation, according to Dragos.
Claude iteratively refined the framework throughout the intrusion, adding capabilities and fixing failures in response to operational feedback. A separate command-and-control framework progressed from a basic HTTP controller to production-grade C2 infrastructure within two days.
“This demonstrates how the AI had compressed what would traditionally be days or weeks of tooling development into hours,” Dragos wrote in its blog post.
The Unprompted OT Discovery
The critical finding for industrial security was what happened after the initial IT compromise. During broad internal network reconnaissance, Claude independently identified a server running a vNode industrial gateway and SCADA/IIoT management platform. The attacker had not asked the AI to look for operational technology systems, according to SecurityWeek.
Claude recognized the interface as a gateway to OT-adjacent infrastructure, classified it as strategically significant due to its proximity to critical national infrastructure, and recommended it as a priority target. It then analyzed vendor documentation, generated credential lists combining default and victim-specific passwords, and executed automated password-spray attacks against the interface, per Dragos.
The spray attacks failed. Dragos found no evidence the attacker breached any control systems or gained operational visibility into the utility’s industrial environment.
What Dragos Says It Means
Dragos was explicit about the implications: “Commercial AI tools assisted an adversary with no prior objective in OT targeting to identify an OT environment and develop and refine a viable access pathway to OT infrastructure,” wrote Jay Deen, associate principal adversary hunter at Dragos, in the report.
The firm was equally explicit about what the incident does not demonstrate. Autonomous AI independently executing attacks “does not currently reflect the reality of adversary capabilities in the ICS/OT threat landscape,” Dragos noted, per SecurityWeek. The attacker directed Claude through prompt-and-response interactions, not autonomous agent loops.
The attacker remains unidentified, with no links to known state or criminal groups. Dragos is tracking the activity as TAT26-12. Consistent use of Spanish was noted as a behavioral indicator.
The Compression Problem
The technical techniques Claude deployed were publicly available and well-documented. Nothing in the 49-module framework was novel. What was new was the speed: hours instead of weeks for full tooling development, and an LLM that could identify industrial targets without being told they existed.
For organizations running converged IT/OT environments, the defensive math just changed. AI-assisted attackers don’t need OT expertise. They need access to an IT network and a commercial LLM that can read vendor documentation faster than the security team can patch default credentials.