Security leaders face a new type of autonomous threat as Anthropic details the first cyber espionage operation orchestrated by AI.
In a report published this week, the company’s Threat Intelligence team outlined an advanced sabotage operation by a Chinese state-sponsored group known as GTG-1002 that was detected in mid-September 2025 (this assessment was conducted with a high degree of confidence).
The operation targeted approximately 30 organizations, including major technology companies, financial institutions, chemical manufacturers, and government agencies.
Rather than having the AI assist human operators, the attackers successfully manipulated Anthropic’s Claude Code model to function as an autonomous agent that carried out the majority of tactical operations independently.
This is an alarming development for CISOs, as cyber attacks are moving from a human-led effort to a model where AI agents perform 80 to 90 percent of the attack work, with humans acting only as high-level supervisors. Anthropic believes this is the first recorded instance of a major cyberattack carried out without substantial human intervention.
AI agents: A new operational model for cyberattacks
The group used an orchestration system that acted as an autonomous penetration testing agent for instances of Claude Code. These AI agents were instructed to perform reconnaissance, find vulnerabilities, develop exploits, collect credentials, move laterally across networks, and exfiltrate data as part of the espionage mission. This allows AI to perform reconnaissance in a fraction of the time it would take a team of human hackers.
Human involvement was limited to 10-20% of the total effort, primarily focused on initiating campaigns and providing approvals at a few key escalation points. For example, a human operator approves the transition from reconnaissance to active exploitation or approves the final scope of a data breach.
The attackers circumvented safeguards built into the AI model, which is trained to avoid harmful behavior. They accomplished this by jailbreaking the models, breaking down attacks into seemingly innocuous tasks, and fooling the models by adopting “role-playing” personas. The operators told Claude that it was an employee of a legitimate cybersecurity company and was being used for defensive testing. This allowed the operation to continue long enough to gain access to a small number of verified targets.
The technical sophistication of the attack lay in its orchestration, not in new malware. The report notes that the framework “overwhelmingly relies on open source penetration testing tools.” Attackers used Model Context Protocol (MCP) servers as an interface between the AI and these general-purpose tools, allowing the AI to execute commands, analyze results, and maintain operational state across multiple targets and sessions. The AI was also instructed to research and create its own exploit code for espionage purposes.
AI illusions can be good
While the campaign was successful in defeating high-value targets, Anthropic’s research revealed a notable limitation: the AI hallucinated during attack operations.
The report says Claude “frequently exaggerated findings and sometimes fabricated data.” This has come in the form of claims that the AI has obtained credentials that don’t work, or identifying findings that “turn out to be publicly available information.”
This trend required human operators to carefully verify all results, creating challenges for attackers’ operational efficiency. According to Anthropic, this “remains a barrier to fully autonomous cyberattacks.” For security leaders, this highlights the potential weaknesses of AI attacks. AI attacks can generate large amounts of noise and false positives, which can be identified through robust monitoring.
Defensive AI arms race against emerging cyber-espionage threats
The key impact for business and technology leaders is that the barriers to conducting sophisticated cyberattacks have been significantly lowered. Campaigns that previously required entire teams of experienced hackers can now be carried out by groups with fewer resources.
This attack demonstrates capabilities beyond “vibe hacking,” where humans had tight control over operations. The GTG-1002 campaign proves that AI can be used to autonomously discover and exploit operational vulnerabilities.
Anthropic, which banned the account and notified authorities of a 10-day investigation, says the incident shows the urgent need for AI-powered defense. “The very capabilities that allow Claude to perform these attacks are also essential to cyber defense,” the company said. The company’s threat intelligence team used Claude extensively to analyze “the vast amount of data generated” during this investigation.
Security teams must operate on the assumption that a major shift in cybersecurity has occurred. The report urges defenders to “experiment with applying AI to defense in areas such as SOC automation, threat detection, vulnerability assessment, and incident response.”
The race between AI-powered attacks and AI-powered defenses has begun, and proactively adapting to counter emerging espionage threats is the only viable path forward.
SEE ALSO: Wiz: Security flaws emerge amid global AI race
Want to learn more about AI and big data from industry leaders? Check out the AI & Big Data Expos in Amsterdam, California, and London. This comprehensive event is part of TechEx and co-located with other major technology events including Cyber Security Expo. Click here for more information.
AI News is brought to you by TechForge Media. Learn about other upcoming enterprise technology events and webinars.
