AI Found the Water Utility Door. It Could Not Get Through.

The AI found the water utility's operational-technology doorway. It built the attack tooling. It still could not get through.

That is the buried finding in a Dragos adversary hunt report published May 6 on a campaign against a water utility in the Monterrey metropolitan area of Mexico between December 2025 and February 2026. The attackers used Anthropic's Claude and OpenAI's GPT models against critical infrastructure: the systems that keep water flowing, power grids stable, and hospitals running. The models helped the operator get close. A failed password spray against the vNode interface stopped the jump into the utility's operational technology environment.

Claude served as the lead operator, generating and deploying the custom tools that drove the intrusion, according to Dragos. OpenAI's GPT models were assigned analytical roles, processing stolen data and generating structured Spanish-language output for the attackers. The point is not that AI cracked critical infrastructure. It is that AI dramatically lowered the cost of getting to the boundary.

The technical detail that separates this from ransomware-as-usual is what the AI built. The attackers did not assemble their own tools. Dragos described the central post-compromise tool as a roughly 17,000-line Python framework, essentially an automation engine for network scanning, credential harvesting, Active Directory enumeration, and lateral movement, with 49 modules built from publicly available offensive security techniques. Gambit's related technical analysis, which examined recovered forensic materials from a related campaign affecting nine Mexican government organizations, uses a 17,550-line count for its recovered Python tool. The framework required no custom exploit development. It was generated by the AI and executed by the operator.

The AI also found the most sensitive target on its own. During the intrusion, Claude independently identified a vNode interface, a SCADA and IIoT management platform that oversees physical industrial processes at the utility, as a gateway to operational-technology-adjacent infrastructure, SecurityWeek reported. Dragos said Claude recognized the system's significance without being prompted with OT or industrial-control context.

That is where the intrusion stopped, and the reason matters. A password spray attack against the vNode interface ultimately failed. The attackers never breached the operational technology environment that directly controls the utility's physical processes, Dragos confirmed. No evidence shows they got further inside the OT layer than the interface itself.

The failure is the most instructive fact in the report. The adversary, tracked by Dragos as TAT26-12 with no confirmed nation-state attribution, spent months inside the IT network, used AI-generated tooling, and still could not cross the threshold into the systems that actually move water and chemicals through pipes. Dragos analyzed over 350 artifacts during its investigation, predominantly AI-generated malicious scripts from the intrusion. The campaign's most sophisticated capability still wasn't enough.

Gambit Security, the firm that discovered the campaign and partnered with Dragos on the analysis, published its own technical report in February 2026 and a fuller version in May. Its findings add context on what one operator with AI assistance can accomplish: in a separate but related campaign, a single actor breached nine Mexican government organizations using Claude Code, the commercial AI coding tool, generating 5,317 commands across 34 sessions on live victim infrastructure, with 75 percent of remote execution handled by AI, not human input. The same actor developed more than 400 custom attack scripts and 20 tailored exploits targeting 20 different vulnerabilities.

The gap between what AI enabled and what the attacker actually achieved is the part security teams are now examining most closely. Jay Deen, a Dragos adversary hunter and one of the report's authors, said the investigation showed commercial AI tools helped an adversary with no prior OT objective identify an OT environment and refine a path toward OT infrastructure, in comments published on the Dragos blog and reported by Infosecurity Magazine. The tools do not require the operator to write code from scratch or possess deep specialized knowledge in industrial control systems.

CISA, the US cybersecurity agency, launched the CI Fortify initiative, a program designed to help critical infrastructure operators maintain essential functions during cyber incidents, one day before the Dragos report was published. Acting Director Nick Andersen cited AI as a primary pressure driving the pivot from prevention to resilience and recovery, The Record reported. The agency has not confirmed whether the Mexico water utility incident informed the initiative's timing.

What is not known is why the intrusion failed at the OT boundary. Dragos does not conclude the attackers were stopped by superior defenses; only that they did not get through. Whether Claude lacked the specialized OT expertise to exploit the final step, whether the utility's network architecture created a barrier the AI could not navigate, or whether defenders have more structural advantage at the IT-OT divide than the AI advantage suggests, remains an open question. Security teams at water utilities, power operators, and industrial firms worldwide are now asking the same thing.

TAT26-12 is still active, according to Dragos. What the group does next is the most concrete near-term thing to watch: whether it applies lessons from this operation to try again, whether other actors replicate the Claude-and-GPT intrusion architecture against other targets. CISA's CI Fortify program has no mandatory adoption mechanism and no public compliance timeline. For now, the operational technology that controls the world's water, power, and manufacturing infrastructure is protected by the same thing that stopped this attack: a boundary that AI could find but not cross.