First AI-Assisted Attack on Critical Infrastructure Hits Mexican Water Utility
Dragos documents attackers using Claude and ChatGPT to identify operational technology systems, marking the transition from theoretical threat to active weapon against core utilities.
Security firm Dragos has confirmed the first documented case of threat actors using large language models to identify and attack operational technology systems at a Mexican water utility, marking the moment commercial AI tools became active weapons against critical infrastructure.
The intrusion—targeting Servicios de Agua y Drenaje de Monterrey (SADM) in January 2026—demonstrates how Claude and ChatGPT compress reconnaissance timelines from weeks to hours, according to Dragos. The attacker, who had no prior Operational Technology targeting experience, used Anthropic’s Claude to independently identify vNode SCADA and IIoT management interfaces without being specifically prompted to search for industrial control systems. The AI classified these assets as high-value Critical Infrastructure targets.
How the Attack Unfolded
Dragos analyzed over 350 AI-generated artifacts recovered from the broader campaign, which targeted multiple Mexican government organizations. Among them: a 17,000-line Python framework called BACKUPOSINT v9.0 APEX PREDATOR containing 49 modules. Claude compressed what would have taken days or weeks of manual tool development into hours, per SecurityWeek.
The two models functioned as a coordinated operational engine. Claude handled intrusion planning, tool development, malware generation, and lateral movement strategy. ChatGPT processed exfiltrated data and generated Spanish-language output. The division of labor mirrors how security teams use AI—except aimed at breaching rather than defending systems.
“This investigation showed how commercial AI tools assisted an adversary with no prior objective in OT targeting to identify an OT environment and develop and refine a viable access pathway to OT infrastructure.”
— Jay Deen, Associate Principal Adversary Hunter, Dragos
The OT breach attempt ultimately failed—no control systems were accessed—but the attacker shifted tactics to data exfiltration from other vulnerable assets within the compromised network. The significance lies not in success but in capability: an IT-focused adversary with zero OT experience gained the ability to map industrial control vulnerabilities through commercially available AI tools.
The Asymmetric Threat Landscape
The SADM attack exposes a fundamental imbalance. Attackers gain AI-accelerated reconnaissance and exploitation capabilities through models accessible via consumer-grade subscriptions, while utilities and critical infrastructure operators—particularly in developing nations—lack equivalent defensive tools. SADM serves the Monterrey metropolitan area in a drought-affected region where 45% of water supply is lost to leakage and theft, according to Mexico Business News. The utility is critical infrastructure with no margin for operational disruption.
The timing coincides with Anthropic and OpenAI’s April 2026 announcements of restricted-access cybersecurity models. Anthropic’s Mythos Preview scored 83.1% on the CyberGym benchmark, autonomously discovering vulnerabilities including a 27-year-old OpenBSD bug and a 16-year-old FFmpeg flaw. The company is limiting distribution to approximately 52 organizations—12 elite launch partners plus 40 additional vetted entities—citing dual-use weapon concerns, per Anthropic.
| Vendor | Model | Access Model | Distribution Scale |
|---|---|---|---|
| Anthropic | Mythos Preview | Precision curation | ~52 organizations |
| OpenAI | GPT-5.4-Cyber | Tiered KYC verification | Broader (undisclosed) |
OpenAI is deploying GPT-5.4-Cyber through tiered know-your-customer verification, aiming for wider distribution while maintaining guardrails. Both companies acknowledge their models function as dual-use weapons. The question is whether restricted access creates a two-tier security landscape where well-funded defenders in developed nations gain AI tools while critical infrastructure in Mexico, Southeast Asia, and sub-Saharan Africa remains exposed.
The Guardrail Problem
Vulnerability exploitation windows have collapsed from 771 days in 2018 to 4 hours in 2024, according to Rest of World. Most exploited vulnerabilities in 2025 were weaponized before public disclosure. AI models accelerate both sides of this race, but attackers face fewer constraints.
Dragos CEO Robert M. Lee noted that adversaries in 2025 reached “a new level of maturity,” mapping control system command propagation and identifying where physical effects can be induced, per the firm’s year-in-review report. The addition of AI tools to this maturing threat landscape changes operational timelines. Defenders must now assume adversaries can generate custom exploits, reconnaissance frameworks, and lateral movement tools within hours rather than weeks.
The EU AI Act’s high-risk system requirements for AI in critical infrastructure take effect August 2, 2026. Transparency rules activate simultaneously. The U.S. regulatory framework remains fractured between federal preemption efforts and state laws in California, Colorado, and Texas. No global standard exists for AI model access controls in cybersecurity applications.
The impossible choice facing AI vendors: democratize defensive tools and risk mass weaponization, or restrict access and abandon critical infrastructure operators who lack elite security partnerships. Anthropic and OpenAI chose restriction. The SADM attack suggests that decision may have come too late—the previous generation of commercial models already provides sufficient capability for OT targeting by novice adversaries.
What to Watch
The August 2 EU AI Act compliance deadline will test whether regulatory frameworks can meaningfully constrain model capabilities versus access. Dragos tracks 26 operational technology threat groups, with 11 active in 2025. OT-focused ransomware groups increased 49% year-over-year to 119 groups. The question is how many gain AI acceleration in 2026.
Attribution for the SADM campaign remains unknown—consistent Spanish language use is the primary behavioral indicator. No links to known state or criminal groups have emerged. That anonymity itself signals the threat: AI tools enable OT targeting by adversaries who previously lacked the specialized knowledge to identify industrial control systems, let alone map pathways to compromise them.
Mexico’s critical infrastructure exposure creates geopolitical vulnerability beyond water systems. The country’s energy grid, manufacturing base, and telecommunications networks all rely on operational technology increasingly visible to AI-assisted reconnaissance. Whether restricted-access defensive models reach Mexican utilities before the next intrusion attempt will determine if the two-tier security landscape becomes permanent.