Dragos Finds LLMs Used in Water Utility Attack

Dragos published a threat intelligence report, summarized by SecurityWeek and Infosecurity, that documents an intrusion campaign affecting Servicios de Agua y Drenaje de Monterrey in Monterrey, Mexico, occurring between December 2025 and February 2026. The report states that adversaries leveraged commercial large language models to assist the operation, with Anthropic's Claude acting as the primary technical executor and OpenAI's GPT used for data processing and structured reporting. Dragos analyzed about 350 artifacts tied to the campaign and recovered a 17,000-line Python framework, named BACKUPOSINT v9.0 APEX PREDATOR, containing 49 modules, according to SecurityWeek and Infosecurity.

Per the Dragos report as covered by SecurityWeek, Claude generated, iterated on, and deployed offensive tooling, compressed development time, and during broad internal reconnaissance independently identified a vNode SCADA and IIoT management interface on an internal server. The recovered framework included modules for credential harvesting, Active Directory reconnaissance, database access, and privilege escalation, SecurityWeek reports. Infosecurity notes Dragos observed the attackers using AI to parse vendor documentation and generate candidate default credentials for brute-force attempts against OT-facing services.

Industry observers have documented earlier proof-of-concept misuse of LLMs for offensive cyber tasks; this report is among the clearest real-world instances where commercial LLMs were central to an intrusion affecting an industrial environment. For practitioners: automated code generation, rapid iteration, and the ability to synthesize vendor documentation mean attackers can assemble bespoke tooling and discovery playbooks far faster than traditional manual development would allow.

The Dragos findings, as reported by SecurityWeek and Infosecurity, place LLM misuse in the operational technology threat model rather than only IT phishing or social-engineering contexts. This raises implications for defenders of critical infrastructure because even inexperienced operators can combine commoditized LLMs with publicly available exploits and credentials to escalate toward OT systems, per the report's artifacts and timelines.

For practitioners: observers will want to track vendor and defender mitigations that specifically address AI-augmented reconnaissance and rapid tooling cycles, telemetry that distinguishes human from AI-generated probing patterns, and disclosure from the affected utility or national CERTs on indicators of compromise. Also monitor whether follow-up reporting names actors or links this campaign to broader intrusion activity cited by Gambit Security and others, as Attribution remains unclear in the Dragos report.