Dragos Documents First LLM-Assisted Strike on Water Infrastructure in Mexico

“OpenAI and Anthropic LLMs Used in Critical Infrastructure Cyber-Attack, Warns Dragos,” by Danny Palmer, Infosecurity Magazine, May 7, 2026.

Cybersecurity firm Dragos documented the use of commercial AI models in a cyberattack against a municipal water and drainage utility in the Monterrey metropolitan area of Mexico. Attackers conducted the campaign between December 2025 and February 2026, and Dragos analyzed 350 artifacts from the intrusion, the vast majority of which consisted of AI-generated malicious scripts.

Dragos pointed out that the AI-assisted campaign should serve as a warning over how commercial AI models can be exploited by nefarious threat actors.

The attackers deployed Anthropic’s Claude as the primary technical executor, tasking it with intrusion planning, malicious tool development, and analysis of SCADA vendor documentation to produce brute-force credential lists. OpenAI’s GPT models served analytical functions, processing collected data and generating Spanish-language outputs. The AI tools allowed the attackers to refine their techniques in real time, and Dragos noted that the actors had no prior experience targeting operational technology environments.

Although the attackers failed to breach the operational technology (OT) infrastructure, Dragos warned that commercial AI has lowered the barrier to entry for attacks on critical infrastructure. Dragos recommended that organizations implement secure remote access policies and strong authentication controls to prevent unauthorized access to OT environments. A Small Wars Journal Discourse rundown of “Anthropic’s Mythos: Our Takeaways” also highlights how frontier AI models have crossed into strategic terrain, with the ability to identify systemic vulnerabilities at unprecedented scale, transforming AI from a productivity tool into a national security asset. “Time compression is the real disruption” because collapsing the gap between discovery and exploitation reshapes offense-defense dynamics in cyberspace.

The battlespace is shifting and expanding to include the software substrate that enables modern life… systems that underpin critical infrastructure are all contestable terrain.

The Monterrey attack confirms this in operational terms, as the attackers refined techniques in real time and used AI to pivot from IT access to OT infrastructure, a pathway they could not have navigated without AI assistance. What neither the Dragos report nor the Mythos piece fully resolves is the governance dimension that makes Mexico a particularly vulnerable target. Alma Keshavarz’s April 2026 SWJ El Centro book review, “Cybersecurity Governance in Latin America,” finds that the case studies Solar examines (Mexico among them) share a common obstacle in that the police, judiciary, military, and intelligence apparatus “seem conditioned to patronage, clientelism, corruption, and other inherited authoritarian traits that have outlived many attempts to run government in a more democratic way,” and that this “continues to prove as the principal obstacle to cybersecurity preparedness and growth.”

Water utilities are a class of infrastructure that depend heavily on municipal governance for its cyber posture. The fact that “government-industry alignment remains unresolved” and that “tension between regulation and reliance persists, even as these tools become central to protecting critical infrastructure,” means that the Monterrey attack is not as an isolated incident but rather a convergence AI capability and persistent governance failure that will likely continue.