Important Infrastructure Safety
,
Governance & Threat Administration
,
Operational Expertise (OT)
AI-Developed Assault Tooling Generated ‘Excessive-Quantity, Noisy Workflows’
An unidentified hacker used Claude and Chat GPT in a cyberattack towards a municipal water and sewage utility’s operational know-how programs in Mexico in January, based on forensic evaluation by OT safety agency Dragos.
See Additionally: How Cyberattacks Can Flip Battery Farms Into Grid Blackouts
The generative AI instruments helped the attacker with figuring out a potential gateway to the utility’s OT programs, highlighting its significance as a “crown jewel” asset, and designing an finally unsuccessful effort to penetrate it, defined report creator, Dragos Affiliate Principal Adversary Hunter Jay Deen.
The AI-tooling Dragos analyzed “leveraged recognized strategies and current vulnerability information to enumerate programs and providers and try exploitation,” Deen instructed ISMG.
Servicios de Agua y Drenaje de Monterrey was one in every of 9 authorities entities in Mexico breached by the attacker between December 2025 and February 2026. The marketing campaign was first reported final month by risk intelligence researchers at Gambit Safety, primarily based on a trove of digital artifacts they recovered from a number of digital servers utilized by the attacker – a uncommon real-world instance of the much-feared however usually over-hyped AI-powered cyberattack marketing campaign.
That is the primary time OT safety specialists have examined proof demonstrating intimately each the chances and the restrictions of AI-assisted hacking towards OT.
Considerably, Dragos researchers concluded that the attacker appeared targeted on knowledge theft till Claude discovered an OT interface on the utility’s community, and singled it out as a potential goal, Deen stated.
“The adversary confirmed no signal of intent to focus on or disrupt OT previous to Claude figuring out OT infrastructure inside the [network] atmosphere,” Deen stated. The infrastructure was a vNode industrial gateway – a administration interface for web-based monitoring and management of business processes. The gateway serves as a knowledge integration layer between OT programs and enterprise IT environments.
As soon as Claude highlighted the vNode as “a high-value vital asset,” the attacker instructed it to go forward with evaluation and focusing on actions. Claude devised an unsuccessful password spray assault, and after it failed, the attacker went again to in search of knowledge to steal, finally having access to greater than 8,000 procurement, vendor and bidding data.
Notably, the password spray assault failed despite the fact that it used a specifically compiled credential record that mixed default credentials, sufferer and environment-specific naming conventions, and reused credentials harvested through the broader set of assaults towards different authorities programs within the province. That means good password hygiene on the focused system. Furthermore, even a profitable assault wouldn’t essentially have given the attacker entry to the OT system, the report notes, if the vNode was correctly arrange.
“Frequent vNode deployment use circumstances characteristic a ‘retailer & ahead’ structure,” wherein the OT interface communicates with the IT community solely by way of a segmented “de-militarized zone,” states the report.
Specialists stated the findings underlined the effectiveness of fundamental safety controls and sustaining good cyber hygiene, even towards attackers with the newest AI instruments.
“The encouraging takeaway is … the worth of layered defenses and sound engineering practices,” stated Marcus Sachs, senior vp and chief engineer on the Heart for Web Safety.
Organizations wanted to see previous advertising and marketing hype, he added. They “don’t want superior AI-enabled defenses to meaningfully cut back threat. What we frequently describe as ‘cheap safety’ or constant utility of well-established safeguards, stays extremely efficient at the same time as adversaries undertake extra superior instruments.”
“The problem now’s to make sure these protections are constantly utilized throughout the hundreds of utilities that make up the nation’s vital infrastructure,” Sachs stated.
Dragos researchers concluded the OpenAI and Anthropic instruments did not present any novel capabilities, however enabled an attacker with none OT-specific abilities and expertise who had breached the enterprise IT system, to determine and assault OT programs, and dramatically compressed the timeline from IT intrusion to OT assault.
“AI supported fast environmental evaluation, identification of an OT-adjacent atmosphere, improvement and refinement of intrusion tooling, and era of a viable entry path in direction of the IT-OT boundary utilizing recognized strategies and publicly accessible tradecraft,” states the report.
“The broader takeaway is much less about autonomous AI-driven assaults and extra about how AI-assisted workflows can speed up an adversary’s understanding of environments and enhance visibility into OT-adjacent networks,” Deen added.
Dragos stated it launched the reporting to assist soothe public response to AI-enabled hacking, which has thus far been pushed by usually groundless fears about autonomous cyberattack campaigns.
Their evaluation, and Gambit Safety’s earlier reporting-shows that, Claude and Chat GPT had been on this case generally unwilling instruments that helped the attacker automate sure steps within the assault chain. The AI fashions supplied tooling which they had been capable of iteratively refine as they gained extra information of the atmosphere.
However Dragos additionally discovered that the AI-developed tooling wasn’t superb and would seemingly solely succeed within the absence of fundamental safety measures: “Its operational use would seemingly generate high-volume, noisy workflows wherein solely a subset of features would succeed when uncovered property or weak safety controls had been current,” states the report.
