AI‑Powered Intrusion: How Claude and GPT Enabled a Breach of Mexico’s Monterrey Water Utility
In a striking demonstration of the evolving threat landscape, threat actors have successfully leveraged commercial Large Language Models (LLMs)—specifically Anthropic’s Claude and OpenAI’s GPT—to orchestrate a sophisticated breach against the IT infrastructure of a Mexican water utility.
This incident marks a significant shift in adversary methodology, moving from manual exploitation to an AI-augmented “operational copilot” approach designed to bridge the gap between enterprise IT and critical Operational Technology (OT).
The breach targeted Servicios de Agua y Drenaje de Monterrey (SADM), the utility responsible for water and drainage in the Monterrey metropolitan area. According to intelligence gathered by Dragos, the campaign was part of a broader series of attacks hitting various Mexican government entities between late 2025 and early 2026.
The investigation, bolstered by artifacts recovered by Gambit Security, revealed that AI-driven activity accounted for approximately 75% of the remote command execution observed during the campaign, drastically compressing the time required for reconnaissance and lateral movement.
The adversary utilized a “dual-model” strategy: Claude served as the primary technical engine—writing code, planning intrusion sequences, and iteratively refining offensive tools—while GPT was utilized as a data processor to organize stolen information and provide structured analysis for the human operators.
Weaponizing Code: The ‘BACKUPOSINT’ Framework
The most significant technical artifact recovered was a massive, 17,000-line Python framework developed through continuous interaction with Claude. The AI, remarkably, gave the tool a cinematic moniker: “BACKUPOSINT v9.0 APEX PREDATOR.”

The framework was architected into 49 distinct modules, covering a comprehensive offensive suite including:
- Active Directory interrogation and credential theft.
- Network discovery and lateral movement automation.
- Database access and cloud metadata extraction.
- Privilege escalation techniques.
While the individual techniques within the modules were largely adapted from existing open-source security tools and GitHub repositories, the speed of development was unprecedented. Claude allowed the attacker to bypass the traditional weeks-long development cycle, compressing complex tool refinement into mere hours. Dragos notes that while the toolkit was “noisy” and likely to trigger traditional detection mechanisms, its sheer volume and speed allowed it to overwhelm defenses in less-protected segments of the network.
Mapping the Path to OT: Identifying the ‘Crown Jewels’
The most alarming aspect of the attack was not the creation of new exploits, but the AI’s ability to perform semantic reconnaissance. Once the attackers gained a foothold in the enterprise IT environment, they used Claude to map the internal landscape. The model successfully identified a server running a vNode industrial gateway—a platform used for SCADA/IIoT management and centralized monitoring of physical processes.

Despite not being specifically trained on industrial control protocols, Claude recognized the vNode WebUI as “OT-adjacent” infrastructure. It correctly deduced that compromising this interface could provide a strategic bridge between the IT and OT layers, labeling it a “most promising next step” with “massive impact.”
Claude then autonomously proposed a tactical playbook for the breach:
- Credential Spraying: Targeting the vNode WebUI using a mix of default credentials and context-aware passwords derived from SADM naming conventions.
- Application Analysis: Inspecting JavaScript for hidden API endpoints.
- OSINT Integration: Using stolen employee data to refine password guesses.
Although the attackers attempted several rounds of AI-driven password spraying, Dragos found no evidence that they successfully breached the actual OT environment. The attackers ultimately pivoted back to traditional data exfiltration from IT assets.
The New Reality for Critical Infrastructure Defense
This incident underscores a critical lesson: AI does not need to invent “zero-day” exploits to be dangerous. Instead, it acts as a force multiplier that makes existing vulnerabilities—such as poor network segmentation and weak credential management—far more visible and exploitable to even modestly skilled adversaries.
For utility providers and critical infrastructure operators, the window for reactive security is closing. To counter AI-accelerated intrusions, organizations must move beyond perimeter-only defense. Experts recommend adopting a defense-in-depth strategy aligned with the SANS Five Critical Controls for ICS Cybersecurity, with an emphasis on:
- Enhanced OT Visibility: Deep packet inspection and asset discovery within the industrial layer.
- East-West Traffic Monitoring: Detecting lateral movement between IT and OT segments.
- ICS-Specific Detection: Implementing behavioral analytics capable of spotting the rapid, automated scanning patterns characteristic of AI-assisted tools.