Adversaries leveraging public AI tools to target OT systems

OT cybersecurity company Dragos has shared an early real-world observation of an adversary leveraging commercial AI tools to identify and target an operational technology environment during an intrusion.

In late February 2026, researchers at Gambit Security recovered a vast collection of materials related to a large-scale compromise of multiple Mexican Government organisations between December 2025 and February 2026 and identified substantial evidence that an unknown adversary had leveraged Anthropic’s Claude and OpenAI’s GPT AI models to carry out core intrusion activities. Dragos assisted Gambit’s investigation, specifically focusing on an intrusion against a municipal water and drainage utility, and identified a significant compromise of the utility’s enterprise IT environment had escalated into an attempt to breach an OT environment.

Evidence showed that Claude acted as the primary technical executor and independently identified the OT environment’s relevance to critical infrastructure, assessed its potential as a crown jewel asset, and investigated possible access pathways to breach the IT–OT boundary.

This investigation showed how commercial AI tools assisted an adversary with no prior objective in OT targeting to identify an OT environment and develop and refine a viable access pathway to OT infrastructure. These findings demonstrate how the adoption of commercial AI tools as an intrusion aid has made OT more visible to adversaries already operating within IT.

As adversaries continue to integrate AI tools into their operations, the implications for defenders are twofold. First, organisations failing to implement basic security controls remain at heightened risk because AI can rapidly operationalise known offensive security techniques against exposed systems, such as exploiting weak authentication and default credentials to gain access.

Second, as AI models continue to improve, prevention-only OT security strategies will become less effective. Firewalls, segmentation, password changes and patching remain necessary, but organisations also need OT network visibility, detection and response capabilities to identify adversarial AI activity when preventive controls fail. This reinforces the growing importance of strong foundational security aligned with the SANS Five Critical Controls for ICS Cybersecurity.

More details of Dragos’s findings can be found on a blog here.

Image credit: iStock.com/Wanniwat Roumruk