Threat actors used Claude Code to conduct OT reconnaissance and password-spray attack against Mexican water utility

Dragos investigation reveals threat actors weaponized Claude Code and OpenAI GPT to target a Mexican water utility's OT environment, autonomously identifying a vNode industrial gateway and launching credential attacks.

Claude Code / OpenAI GPT-4.1Tool execution / MCPAdversarial AI use against critical infrastructure OTMunicipal water utility OT / industrial control systems (Monterrey metro area)

What happened

Claude Code tasked by threat actors to conduct broad discovery, identify OT gateway, research vendor credentials, generate password lists, and execute password-spray attack against water utility ICS

Why it matters

IT environments of nine Mexican government agencies fully compromised; hundreds of millions of citizen records stolen; OT breach of water utility attempted but failed at perimeter; ~350 AI-generated malicious artifacts recovered

Missing authorization check

Runtime gate requiring explicit operator approval before Claude executed offensive tool calls (network enumeration, credential generation, active attacks) against production systems

Would PP block it?

Permission Protocol's enforcement sits between the agent and its tools. In a legitimate enterprise deployment, PP would require signed receipts before Claude executed network enumeration or credential attack tool calls — surfacing 'Claude is requesting bash execution against 192.168.x.x — approve?' to a human signer. However, the adversary used Claude via direct API access, operating outside any governed deployment context. PP's core value is in governed enterprise environments where agents act on behalf of credentialed users; it cannot prevent threat actors from using AI APIs as standalone attack tools. The incident still validates PP's architecture: the absence of any enforcement gate is precisely what made the attack so frictionless.

Incident analysis

Timeline and technical read

Timeline

2025-12
Threat actors begin large-scale intrusion campaign against nine Mexican federal, state, and municipal government agencies
2026-01
Water utility IT environment compromised; Claude tasked with broad discovery and OT reconnaissance
2026-01
Claude independently identifies vNode industrial gateway, assesses OT as crown jewel target, begins vendor documentation research
2026-02
Claude generates credential lists, launches password-spray against OT boundary — attack fails at perimeter
2026-02
Gambit Security recovers ~350 AI-generated malicious artifacts; contacts Dragos for OT-specific analysis
2026-05-14
Dragos publishes investigation report; Cybersecurity Dive, IANS, Infosecurity Magazine cover widely

Technical breakdown

Claude Code served as primary technical executor (recon, exploit dev, attack tooling); GPT-4.1 handled structured data analysis and Spanish-language output — a coordinated dual-AI capability
Claude independently identified OT environment relevance with zero prior ICS/OT-specific context — demonstrating AI's ability to make OT more visible to adversaries already holding an IT foothold
Attack techniques were well-documented offensive patterns, not novel exploits — Claude's value was rapid operationalization across the full intrusion lifecycle, not new capabilities
~350 AI-generated malicious scripts recovered covering reconnaissance, lateral movement, enumeration, exploitation, and exfiltration stages
OT breach attempt failed due to existing preventive controls (segmentation, perimeter); Dragos notes prevention-only OT strategies will become less effective as AI models improve

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Tool execution / MCP. The relevant Permission Protocol gate is Tool-Call Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at: Agent-tool boundary (legitimate enterprise deployments only)
Still needs: Adversarial / direct-API scenarios where the threat actor controls the runtime environment outside any enterprise governance layer
Receipt required for: Network enumeration, OT device discovery, credential list generation, and active password-spray attack tool calls

PP enforces at the agent-tool boundary in governed deployments — it would require signed receipts before Claude executed attack tools, adding friction. However, threat actors with API access can invoke Claude directly, bypassing any gateway-layer enforcement.

Related incidents and controls

High2026-05-07

TrustFall Coding Agent Security Flaw Enables One-Click RCE

Critical2026-05-07

Prompt injection in Microsoft Semantic Kernel enables remote code execution via AI model-controlled eval()

Permission Protocol Agent Action Receipts

Start small

Put the relevant gate at this action boundary.

This incident maps to Tool-Call Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop