Crucial Infrastructure Safety
,
Governance & Threat Administration
,
Operational Expertise (OT)
AI-Developed Assault Tooling Generated ‘Excessive-Quantity, Noisy Workflows’
An unidentified hacker used Claude and Chat GPT in a cyberattack towards a municipal water and sewage utility’s operational expertise methods in Mexico in January, in response to forensic evaluation by OT safety agency Dragos.
See Additionally: How Cyberattacks Can Flip Battery Farms Into Grid Blackouts
The generative AI instruments helped the attacker with figuring out a attainable gateway to the utility’s OT methods, highlighting its significance as a “crown jewel” asset, and designing an finally unsuccessful effort to penetrate it, defined report writer, Dragos Affiliate Principal Adversary Hunter Jay Deen.
The AI-tooling Dragos analyzed “leveraged recognized methods and present vulnerability data to enumerate methods and providers and try exploitation,” Deen instructed ISMG.
Servicios de Agua y Drenaje de Monterrey was considered one of 9 authorities entities in Mexico breached by the attacker between December 2025 and February 2026. The marketing campaign was first reported final month by menace intelligence researchers at Gambit Safety, primarily based on a trove of digital artifacts they recovered from a number of digital servers utilized by the attacker – a uncommon real-world instance of the much-feared however typically over-hyped AI-powered cyberattack marketing campaign.
That is the primary time OT safety specialists have examined proof demonstrating intimately each the chances and the restrictions of AI-assisted hacking towards OT.
Considerably, Dragos researchers concluded that the attacker appeared targeted on knowledge theft till Claude discovered an OT interface on the utility’s community, and singled it out as a attainable goal, Deen mentioned.
“The adversary confirmed no signal of intent to focus on or disrupt OT previous to Claude figuring out OT infrastructure throughout the [network] surroundings,” Deen mentioned. The infrastructure was a vNode industrial gateway – a administration interface for web-based monitoring and management of business processes. The gateway serves as an information integration layer between OT methods and enterprise IT environments.
As soon as Claude highlighted the vNode as “a high-value crucial asset,” the attacker instructed it to go forward with evaluation and focusing on actions. Claude devised an unsuccessful password spray assault, and after it failed, the attacker went again to in search of knowledge to steal, ultimately getting access to greater than 8,000 procurement, vendor and bidding data.
Notably, the password spray assault failed regardless that it used a specifically compiled credential checklist that mixed default credentials, sufferer and environment-specific naming conventions, and reused credentials harvested throughout the broader set of assaults towards different authorities methods within the province. That implies good password hygiene on the focused system. Furthermore, even a profitable assault wouldn’t essentially have given the attacker entry to the OT system, the report notes, if the vNode was correctly arrange.
“Frequent vNode deployment use instances function a ‘retailer & ahead’ structure,” through which the OT interface communicates with the IT community solely by a segmented “de-militarized zone,” states the report.
Specialists mentioned the findings underlined the effectiveness of primary safety controls and sustaining good cyber hygiene, even towards attackers with the most recent AI instruments.
“The encouraging takeaway is … the worth of layered defenses and sound engineering practices,” mentioned Marcus Sachs, senior vice chairman and chief engineer on the Middle for Web Safety.
Organizations wanted to see previous advertising and marketing hype, he added. They “don’t want superior AI-enabled defenses to meaningfully cut back danger. What we regularly describe as ‘affordable safety’ or constant utility of well-established safeguards, stays extremely efficient whilst adversaries undertake extra superior instruments.”
“The problem now’s to make sure these protections are persistently utilized throughout the 1000’s of utilities that make up the nation’s crucial infrastructure,” Sachs mentioned.
Dragos researchers concluded the OpenAI and Anthropic instruments did not present any novel capabilities, however enabled an attacker with none OT-specific expertise and expertise who had breached the enterprise IT system, to establish and assault OT methods, and dramatically compressed the timeline from IT intrusion to OT assault.
“AI supported speedy environmental evaluation, identification of an OT-adjacent surroundings, improvement and refinement of intrusion tooling, and technology of a viable entry path in the direction of the IT-OT boundary utilizing recognized methods and publicly out there tradecraft,” states the report.
“The broader takeaway is much less about autonomous AI-driven assaults and extra about how AI-assisted workflows can speed up an adversary’s understanding of environments and enhance visibility into OT-adjacent networks,” Deen added.
Dragos mentioned it launched the reporting to assist soothe public response to AI-enabled hacking, which has to date been pushed by typically groundless fears about autonomous cyberattack campaigns.
Their evaluation, and Gambit Safety’s earlier reporting-shows that, Claude and Chat GPT have been on this case generally unwilling instruments that helped the attacker automate sure steps within the assault chain. The AI fashions offered tooling which they have been capable of iteratively refine as they gained extra data of the surroundings.
However Dragos additionally discovered that the AI-developed tooling wasn’t excellent and would possible solely succeed within the absence of primary safety measures: “Its operational use would possible generate high-volume, noisy workflows through which solely a subset of capabilities would succeed when uncovered property or weak safety controls have been current,” states the report.
