Safety leaders face a brand new class of autonomous risk as Anthropic details the first cyber espionage marketing campaign orchestrated by AI.
In a report launched this week, the firm’s Menace Intelligence group outlined its disruption of a classy operation by a Chinese language state-sponsored group – an evaluation made with excessive confidence – dubbed GTG-1002 and detected in mid-September 2025.
The operation focused roughly 30 entities, together with massive tech firms, monetary establishments, chemical manufacturing firms, and authorities businesses.
Somewhat than AI helping human operators, the attackers efficiently manipulated Anthropic’s Claude Code mannequin to operate as an autonomous agent to execute the overwhelming majority of tactical operations independently.
This marks a worrying improvement for CISOs, transferring cyber assaults from human-directed efforts to a mannequin the place AI brokers carry out 80-90 % of the offensive work with people appearing solely as high-level supervisors. Anthropic believes this is the first documented case of a large-scale cyberattack executed with out substantial human intervention.
AI brokers: A brand new operational mannequin for cyberattacks
The group used an orchestration system that tasked cases of Claude Code to operate as autonomous penetration testing brokers. These AI brokers had been directed as a part of the espionage marketing campaign to carry out reconnaissance, uncover vulnerabilities, develop exploits, harvest credentials, transfer laterally throughout networks, and exfiltrate knowledge. This enabled the AI to carry out reconnaissance in a fraction of the time it will have taken a group of human hackers.
Human involvement was restricted to 10-20 % of the whole effort, primarily centered on marketing campaign initiation and offering authorisation at a couple of key escalation factors. For instance, human operators would approve the transition from reconnaissance to lively exploitation or authorise the closing scope of information exfiltration.
The attackers bypassed the AI mannequin’s built-in safeguards, which are skilled to keep away from dangerous behaviours. They did this by jailbreaking the mannequin, tricking it by breaking down assaults into seemingly harmless duties and by adopting a “role-play” persona. Operators instructed Claude that it was an worker of a legit cybersecurity agency and was being utilized in defensive testing. This allowed the operation to proceed lengthy sufficient to achieve entry to a handful of validated targets.
The technical sophistication of the assault lay not in novel malware, however in orchestration. The report notes the framework relied “overwhelmingly on open-source penetration testing instruments”. The attackers used Mannequin Context Protocol (MCP) servers as an interface between the AI and these commodity instruments, enabling the AI to execute instructions, analyse outcomes, and preserve operational state throughout a number of targets and periods. The AI was even directed to analysis and write its personal exploit code for the espionage marketing campaign.
AI hallucinations develop into a great factor
Whereas the marketing campaign efficiently breached high-value targets, Anthropic’s investigation uncovered a noteworthy limitation: the AI hallucinated throughout offensive operations.
The report states that Claude “ceaselessly overstated findings and sometimes fabricated knowledge”. This manifested as the AI claiming to have obtained credentials that did not work or figuring out discoveries that “proved to be publicly accessible information.”
This tendency required the human operators to rigorously validate all outcomes, presenting challenges for the attackers’ operational effectiveness. In accordance to Anthropic, this “stays an impediment to absolutely autonomous cyberattacks”. For safety leaders, this highlights a possible weak point in AI-driven assaults: they could generate a excessive quantity of noise and false positives that may be recognized with strong monitoring.
A defensive AI arms race in opposition to new cyber espionage threats
The first implication for enterprise and expertise leaders is that the obstacles to performing refined cyberattacks have dropped significantly. Teams with fewer sources could now find a way to execute campaigns that beforehand required whole groups of skilled hackers.
This assault demonstrates a functionality past “vibe hacking,” the place people remained firmly in command of operations. The GTG-1002 marketing campaign proves that AI can be utilized to autonomously uncover and exploit vulnerabilities in reside operations.
Anthropic, which banned the accounts and notified authorities over a ten-day investigation, argues that this improvement reveals the pressing want for AI-powered defence. The corporate states that “the very skills that permit Claude to be utilized in these assaults additionally make it important for cyber protection”. The corporate’s personal Menace Intelligence group “used Claude extensively to analyse “the huge quantities of information generated” throughout this investigation.
Safety groups ought to function beneath the assumption {that a} main change has occurred in cybersecurity. The report urges defenders to “experiment with making use of AI for protection in areas like SOC automation, risk detection, vulnerability evaluation, and incident response.”
The competition between AI-driven assaults and AI-powered defence has begun, and proactive adaptation to counter new espionage threats is the solely viable path ahead.
See additionally: Wiz: Security lapses emerge amid the global AI race
Need to be taught extra about AI and large knowledge from trade leaders? Take a look at AI & Big Data Expo happening in Amsterdam, California, and London. The excellent occasion is a part of TechEx and is co-located with different main expertise occasions together with the Cyber Security Expo. Click on here for extra information.
AI Information is powered by TechForge Media. Discover different upcoming enterprise expertise occasions and webinars here.
Disclaimer: This article is sourced from external platforms. OverBeta has not independently verified the information. Readers are advised to verify details before relying on them.
