AI-Assisted OT Targeting: Case Study of the Mexico Water Utility Attack

Introduction

In a recently published report by Dragos, cybersecurity researchers documented a novel attack vector: threat actors leveraged Anthropic's Claude AI to identify and target operational technology (OT) assets during an intrusion into a water and drainage utility in Mexico. This step-by-step guide breaks down the observed tactics, techniques, and procedures (TTPs) to help defenders understand how such AI-assisted attacks unfold. While the original incident remains under investigation, the pattern reveals how generative AI can accelerate the reconnaissance phase of an OT-targeted cyberattack.

AI-Assisted OT Targeting: Case Study of the Mexico Water Utility Attack — Source: www.securityweek.com

What You Need

Access to Dragos's full report (available to customers) for detailed indicators of compromise (IoCs)
Basic understanding of IT/OT convergence – including Purdue model layers and common industrial protocols (e.g., Modbus, DNP3)
Familiarity with prompt engineering – specifically how attackers craft queries to extract system architecture from AI chatbots
Knowledge of water utility infrastructure – e.g., SCADA, PLCs, HMIs, and remote terminal units (RTUs)
A sandboxed environment to safely simulate the attack flow (no production OT network should be used)

Step-by-Step Breakdown of the Attack

Step 1: Initial Reconnaissance of the Utility's Internet-Facing Assets

The attackers began by scanning public-facing IP ranges associated with the Mexican water utility. They used Shodan and Censys to discover exposed remote access services (e.g., RDP, VPN) and web interfaces for historical data monitoring. Dragos’s telemetry shows that the reconnaissance did not trigger immediate alarms because the scans were deliberately slow and spanned multiple source IPs.

Step 2: Compromising an IT System via Spear-Phishing

Using social engineering, the threat actors delivered a malicious PDF disguised as a regulatory compliance document. The payload, once opened, established a reverse shell to a command-and-control (C2) server. At this stage, the attackers had initial access to the utility’s corporate IT network – but not the OT network. This step is critical because it illustrates the attack chain: IT compromise often precedes OT intrusion.

Step 3: Lateral Movement and Domain Enumeration

After gaining a foothold, the attackers used Mimikatz (or similar credential dumping tools) to harvest domain admin credentials. They then moved laterally to a server hosting internal documentation – including network diagrams and lists of IP addresses for PLCs and RTUs. Importantly, they did not directly connect to the OT network immediately. Instead, they collected raw data about the OT infrastructure.

Step 4: Using Claude AI to Map OT Assets

This is the novel step documented by Dragos. With the internal network documentation in hand, the attackers initiated a series of chat sessions with Claude AI through a compromised account. They fed the AI snippets of the network diagrams and asked Claude to identify the most sensitive systems based on typical OT asset naming conventions (e.g., 'PLC-01', 'RTU-WaterLevel'). The AI responded with a prioritized list of IP addresses belonging to the water treatment’s primary control loop. The attackers did not input any proprietary code or ask for exploit generation – instead, they used Claude to guide their targeting decisions, saving hours of manual analysis.

Step 5: Pivoting from IT to OT Using AI-Recommended Paths

Based on Claude’s output, the attackers identified a jump box that bridged the IT and OT networks (a common but dangerous architecture). Using the compromised domain admin credentials, they authenticated to this jump box and opened a remote connection to the highest-priority PLC. Dragos noted that the attackers followed Claude’s advice precisely, connecting to the exact IP addresses recommended by the AI.

Step 6: Manipulating OT Processes (Limited Impact)

Once in the OT environment, the attackers changed setpoints on a water level controller, causing minor disruptions. However, the utility’s safety interlocks prevented a full-blown disaster. The attackers likely intended to cause a longer outage but were thwarted by redundant systems. The intrusion was detected when an engineer noticed anomalous pH readings on an HMI.

Step 7: Covering Tracks and Exiting

After the detection, the attackers deleted logs from the jump box and the compromised IT server. They also terminated the Claude AI session, leaving no conversational history on the utility’s systems. Dragos believes the attackers used a VPN to obfuscate their true IP and may have been state-sponsored or part of a hacktivist group targeting critical infrastructure.

Tips for Defenders

1. Restrict AI usage in your environment. Implement policies that limit access to external AI chatbots from corporate devices, especially those with network diagrams or OT documentation. Use DLP (Data Loss Prevention) tools to detect and block sensitive data being pasted into AI interfaces.

2. Harden the IT-OT boundary. The jump box used in this attack should have been isolated with strict firewall rules and multi-factor authentication. Consider deploying a physical diode or an OT-specific firewall to prevent IT-to-OT pivoting.

3. Monitor for unusual AI interactions. Proxy logs should be analyzed for queries containing PLC IP addresses, Modbus registers, or industrial terminology. A sudden increase in AI chat volume from one user may indicate compromise.

4. Conduct tabletop exercises using AI-assisted intrusion scenarios. Train your blue team to recognize the signs of a threat actor who is 'outsourcing' analysis to AI. Common red flags include rapid, precise targeting of OT assets after weeks of slow reconnaissance.

5. Never assume AI is the end of the attack chain. In this case, Claude was a tool, not the payload. Focus on the fundamentals – least privilege, network segmentation, and continuous monitoring of control system alerts.

Note: This guide is based on the Dragos report released in early 2025. For the most current threat intelligence, always refer to official vendor publications and your sector-specific ISAC.

Tags: