Safety leaders face a brand new class of autonomous menace as Anthropic particulars the primary cyber espionage marketing campaign orchestrated by AI.
In a report launched this week, the corporate’s Menace Intelligence group outlined its disruption of a complicated operation by a Chinese language state-sponsored group – an evaluation made with excessive confidence – dubbed GTG-1002 and detected in mid-September 2025.
The operation focused roughly 30 entities, together with massive tech firms, monetary establishments, chemical manufacturing firms, and authorities companies.
Relatively than AI helping human operators, the attackers efficiently manipulated Anthropic’s Claude Code mannequin to operate as an autonomous agent to execute the overwhelming majority of tactical operations independently.
This marks a worrying improvement for CISOs, shifting cyber assaults from human-directed efforts to a mannequin the place AI brokers carry out 80-90 p.c of the offensive work with people performing solely as high-level supervisors. Anthropic believes that is the primary documented case of a large-scale cyberattack executed with out substantial human intervention.
AI brokers: A brand new operational mannequin for cyberattacks
The group used an orchestration system that tasked cases of Claude Code to operate as autonomous penetration testing brokers. These AI brokers have been directed as a part of the espionage marketing campaign to carry out reconnaissance, uncover vulnerabilities, develop exploits, harvest credentials, transfer laterally throughout networks, and exfiltrate knowledge. This enabled the AI to carry out reconnaissance in a fraction of the time it could have taken a group of human hackers.
Human involvement was restricted to 10-20 p.c of the overall effort, primarily targeted on marketing campaign initiation and offering authorisation at just a few key escalation factors. For instance, human operators would approve the transition from reconnaissance to energetic exploitation or authorise the ultimate scope of information exfiltration.
The attackers bypassed the AI mannequin’s built-in safeguards, that are skilled to keep away from dangerous behaviours. They did this by jailbreaking the mannequin, tricking it by breaking down assaults into seemingly harmless duties and by adopting a “role-play” persona. Operators instructed Claude that it was an worker of a legit cybersecurity agency and was being utilized in defensive testing. This allowed the operation to proceed lengthy sufficient to realize entry to a handful of validated targets.
The technical sophistication of the assault lay not in novel malware, however in orchestration. The report notes the framework relied “overwhelmingly on open-source penetration testing instruments”. The attackers used Mannequin Context Protocol (MCP) servers as an interface between the AI and these commodity instruments, enabling the AI to execute instructions, analyse outcomes, and keep operational state throughout a number of targets and classes. The AI was even directed to analysis and write its personal exploit code for the espionage marketing campaign.
AI hallucinations grow to be an excellent factor
Whereas the marketing campaign efficiently breached high-value targets, Anthropic’s investigation uncovered a noteworthy limitation: the AI hallucinated throughout offensive operations.
The report states that Claude “continuously overstated findings and infrequently fabricated knowledge”. This manifested because the AI claiming to have obtained credentials that didn’t work or figuring out discoveries that “proved to be publicly out there data.”
This tendency required the human operators to rigorously validate all outcomes, presenting challenges for the attackers’ operational effectiveness. In response to Anthropic, this “stays an impediment to completely autonomous cyberattacks”. For safety leaders, this highlights a possible weak point in AI-driven assaults: they could generate a excessive quantity of noise and false positives that may be recognized with sturdy monitoring.
A defensive AI arms race in opposition to new cyber espionage threats
The first implication for enterprise and know-how leaders is that the obstacles to performing refined cyberattacks have dropped significantly. Teams with fewer assets could now have the ability to execute campaigns that beforehand required whole groups of skilled hackers.
This assault demonstrates a functionality past “vibe hacking,” the place people remained firmly accountable for operations. The GTG-1002 marketing campaign proves that AI can be utilized to autonomously uncover and exploit vulnerabilities in dwell operations.
Anthropic, which banned the accounts and notified authorities over a ten-day investigation, argues that this improvement exhibits the pressing want for AI-powered defence. The corporate states that “the very skills that permit Claude for use in these assaults additionally make it important for cyber protection”. The corporate’s personal Menace Intelligence group “used Claude extensively to analyse “the large quantities of information generated” throughout this investigation.
Safety groups ought to function beneath the idea {that a} main change has occurred in cybersecurity. The report urges defenders to “experiment with making use of AI for protection in areas like SOC automation, menace detection, vulnerability evaluation, and incident response.”
The competition between AI-driven assaults and AI-powered defence has begun, and proactive adaptation to counter new espionage threats is the one viable path ahead.
See additionally: Wiz: Safety lapses emerge amid the worldwide AI race
Wish to be taught extra about AI and large knowledge from trade leaders? Take a look at AI & Big Data Expo happening in Amsterdam, California, and London. The great occasion is a part of TechEx and is co-located with different main know-how occasions together with the Cyber Security Expo. Click on here for extra data.
AI Information is powered by TechForge Media. Discover different upcoming enterprise know-how occasions and webinars here.
