A report released on May 8, 2026 by industrial cybersecurity firm Dragos — together with research from Gambit Security — revealed that an unidentified threat group used Anthropic’s Claude AI to assist in a sophisticated takeover attempt against a Mexican municipal water utility. The intrusion was part of a broader months-long campaign running from December 2025 through February 2026 that hit nine federal, state, and municipal government agencies in Mexico. Attackers compromised the utility’s IT environment in January and were stopped before reaching the OT side, but the technical sophistication of the activity has raised serious concerns about how rapidly AI can lower the skill bar for attacks on critical sectors.
According to Gambit, the attackers leaned heavily on Claude Code and OpenAI's GPT-4.1 API to do the bulk of the technical heavy-lifting — reconnaissance, exploit customisation, privilege escalation, and credential harvesting — resulting in the theft of hundreds of millions of citizen records and the compromise of thousands of servers. Dragos's investigation of the OT impact found that the AI identified a vNode industrial gateway server inside the water utility despite having no prior ICS/OT context, researched vendor documentation, built a credential list combining defaults with victim-specific guesses, and launched a password-spray attack against a single-password authentication interface. Dragos analysts reviewed roughly 350 artefacts, most of them AI-generated offensive scripts.
The takeaway for water utilities and other operators of critical infrastructure is uncomfortable but direct: as Dragos researcher Jay Deen put it, the AI was able to interpret an unfamiliar environment and develop plausible access paths into OT without any ICS-specific background. Ari Ben Am of the Foundation for Defense of Democracies framed it more plainly — threat actors no longer need specialised OT or ICS expertise to attempt these intrusions. For European public-sector water operators working under NIS2, the implication is that perimeter hygiene, identity controls, and segmentation between IT and OT can no longer assume a slow, expert-driven adversary; the time from initial IT compromise to credible OT reconnaissance has collapsed.