Threat intelligence published by Dragos has revealed that an adversary used Anthropic’s Claude large language model (LLM) to help map a lateral movement path from IT into operational technology (OT) networks during a confirmed breach of a Mexican water utility.
The target was Servicios de Agua y Drenaje de Monterrey (SADM), a public water and wastewater provider serving roughly five million people in the Monterrey metropolitan area of Nuevo León, Mexico. The breach, which Dragos attributes to a threat group it tracks as Bauxite Limeade, occurred in late 2024 and is one of the first publicly documented cases of an AI model being used operationally during a live intrusion against industrial infrastructure.
What Happened
According to Dragos’ analysis, Bauxite Limeade gained initial access to SADM’s IT environment and then used Claude to accelerate reconnaissance. The attacker submitted prompts asking the model to explain ICS-specific protocols, identify common network architectures in water treatment facilities, and suggest methods for pivoting from enterprise IT segments into OT zones.
Dragos noted that the model did not provide exploit code or direct attack tooling. Instead, the adversary used it as an interactive reference, querying it for contextual knowledge that would normally require specialized ICS expertise or extended manual research. The LLM responses helped the attacker build a more informed picture of how SCADA systems, historians, and PLCs typically sit within utility network topologies.
Why It Matters
The case is significant for several reasons. First, it demonstrates that AI models are now part of the operational toolkit for threat actors targeting critical infrastructure, not just for phishing lure generation or malware scripting, but for domain-specific reconnaissance in OT environments.
Second, it lowers the barrier to entry. ICS and OT intrusions have historically required niche knowledge that limited the pool of capable adversaries. An attacker who can query a general-purpose LLM for protocol-level and architectural guidance no longer needs years of hands-on SCADA experience to begin mapping a viable attack path.
Third, the incident raises questions about how AI providers monitor and restrict queries related to critical infrastructure. Anthropic’s Responsible Scaling Policy includes commitments to detecting and mitigating misuse, but the Dragos report indicates the attacker was able to obtain operationally useful responses without triggering apparent guardrails.
Dragos’ Recommendations
Dragos has issued several recommendations for asset owners in the water and wastewater sector:
- Audit and segment IT/OT boundaries, particularly where historians or jump hosts bridge the two environments.
- Monitor for anomalous authentication patterns that could indicate lateral movement from enterprise networks into OT zones.
- Review access controls on engineering workstations and SCADA servers, ensuring they are not reachable from general-purpose IT segments.
- Treat AI-assisted reconnaissance as a credible threat model input when updating risk assessments for industrial control systems.
The full Dragos intelligence report on Bauxite Limeade is available to Dragos Platform customers and WorldView subscribers.
