Hacker and code showing AI agents for cyber espionage

Use of AI Agents in Cyber Espionage Expands as Chinese Hackers Leverage Anthropic Tools

AI firm Anthropic is reporting that Chinese hackers were able to use the company’s AI agents to automate attacks against about 30 targets during a September cyber espionage campaign.

The hackers focused on breaking the guardrails of Claude Code, enabling its assistance in creating scripts and tools for attacks. While Anthropic says that only a “few” of these attacks were successful, this along with other recent reports indicates that advanced threat actors are beginning to find their footing with the use of AI agents in real-time adaptive attack campaigns.

Cyber espionage campaign targeted Claude code

Anthropic’s report calls the incident the “first reported AI-orchestrated cyber espionage campaign” and has attributed it with high confidence to a Chinese state-sponsored group it calls GTG-1002. The campaign took place in mid-September and the integration of AI agents for performance of autonomous tasks is described as “unprecedented” with as much as 80 to 90% of tactical operations handled at “physically impossible request rates.”

The focus was on jailbreaking of Claude Code, one of an emerging group of advanced AI agents for automation of coding tasks that keeps track of the entirety of workflows and project architecture. The cyber espionage team was reportedly able to accomplish this by convincing it that it was being deployed for legitimate penetration testing purposes.

Anthropic reports that the attackers were able to manipulate its AI agents to “support reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data analysis, and exfiltration” in a “largely” autonomous way. It also believes this is the first recorded instance of a cyberattack campaign executed at scale without human intervention, with the AI scanning for and selecting its own targets and both evaluating and exploiting vulnerabilities on its own. This extends to post-breach activities such as lateral movement and data exfiltration, with the AI essentially handling the full breach cycle on its own.

In addition to breaking safety guardrails by convincing Claude that questionable functions were being performed in the name of legitimate penetration testing, the attackers broke complex multi-stage attacks into discrete smaller component tasks that were less likely to be questioned in isolation. The attackers used multiple accounts to do this and did some social engineering of the AI agents by building up “personas” attached to each that presented as legitimate security researchers. Multiple instances of Claude were thus participating in the same phase of the cyber espionage operations, but without communicating with each other or having the ability to see the full picture of what was being done.

The human operators did participate in the cyber espionage campaign, but Anthropic estimates they were only involved actively about 10% to 20% of the time. The AI agents handled the vast majority of the work with the human operators stepping in periodically to make strategic decisions at critical escalation points, authorize harvested credentials, and to make final decisions about elements of data exfiltration.

Claude was also determined to be independently analyzing vulnerabilities and stolen data and making autonomous decisions about them, based on the rapidity of the actions (thousands of requests beyond what a human would be capable of). And it relied on a collection of mostly open source penetration testing tools rather than more readily detectable proprietary tools or custom malware.

Use of AI agents for hacking is becoming increasingly sophisticated

Though the cyber espionage campaign seems to represent a concerning escalation in attacker capability, it does come with some caveats. The first is that it had an overall rather low success rate, targeting about 30 entities but only succeeding in breaking into “a handful.” The attackers were also sometimes stymied by the classic AI issue of overstatement and hallucination; Claude would sometimes report back that it successfully did things it did not actually do, for example presenting credentials or vulnerabilities that it entirely made up. This greatly slowed down the efficiency of the operation in the same way that everyday work is usually impacted by AI, with a human having to manually review certain critical elements to make sure they were indeed legitimate.

Given a lack of specific details in the report, some security researchers are also questioning exactly how automated the AI agents really were. They also note that Claude Code was targeted because it is specifically vulnerable in a way that other major LLMs are not, as it is designed to deal with routine coding tasks that can be readily camouflaged if they are broken down enough.

Nevertheless, this and a similar report by Google’s threat research team indicate that advanced attackers are working away at incorporating AI agents into their work at a feverish pace and are finding enough success to signal the beginnings of a new era of automated attacks.

As John Watters, CEO and Managing Partner at iCOUNTER, notes: “This is simply the tip of the iceberg and a clear indication of the future threat landscape. I’ve spoken at length of the movement where all victims become Patient Zero as adversaries leverage AI to conduct reconnaissance on a target, then build bespoke capabilities designed to exploit each specific target.  Just look at the success of this operation leveraging off the shelf AI capability.  Imagine what an adversary can do with a well-tuned LLM purpose built for an espionage mission.”

Toby Lewis, Global Head of Threat Analysis at Darktrace, adds: “While this campaign is not a fully autonomous attack, it does show how threat actors are already using AI to orchestrate and scale the same techniques we’ve seen for years – from reconnaissance and credential theft to lateral movement and data exfiltration. The AI use here is essentially a smart coordinator for standard offensive tools, allowing an operator to say ‘scan here, pivot there, package this up’ in plain language instead of writing custom scripts for every step. This allows attackers to rapidly prototype and refine attack chains, making their operations more agile and can allow them to switch from one target to the next more quickly without having to completely re-tool.

Diana Kelley, Chief Information Security Officer at Noma Security, notes that AI defenses must not just keep pace with where attackers are presently at but anticipate what new capabilities they will emerge with: “The disclosure by Anthropic that state-linked actors are using its AI models to automate large portions of cyberattacks underscores the reality that AI is being weaponized by adversaries. The fact that criminals and nation-state actors can now conduct reconnaissance, credential harvesting and data exfiltration with minimal human involvement signals a shift in the threat landscape. Defenders can no longer rely on traditional detection cycles or manual review. Security programs must be shored up with the visibility, automation and disciplined cyber hygiene needed to counter attacks that operate at machine speed. The report from Anthropic is an excellent reminder that we must keep vigilant about foundational security controls and adopt AI-aware response capabilities so we are not playing catch-up in the AI powered breach race.”

Vineeta Sangaraju, Security Solutions Engineer at Black Duck, explores what that might look like: “For many organizations, especially those with resource-constrained security teams, this incident is alarming. If Anthropic— presumably with better insights into how their products are used—needed more than a week to piece together the full scope of the attack campaign, how difficult will it be for typical enterprises to spot AI-driven intrusion? This incident raises a practical dilemma for defenders: how do they build resilience against large-scale, automated attacks other than accelerating and augmenting their incident-response workflows? They need to adapt their security programs in ways that go beyond traditional playbooks— actionable real-time monitoring, smarter feedback loops between detection and response, and faster, continuous validation of their environments. They will need to understand what AI-driven attacks look like behaviorally and integrate suitable anomaly detection that can spot unusual activity at machine speed and accuracy. From a strategic perspective, threat modeling needs to account for this new category of adversaries who can rapidly scale and adapt their attacks using AI in real time. Are organizations inevitably going to be forced to use AI to defend against AI? This incident also raises important concerns about the resilience of models against large scale misuse. A year ago, the dual-use potential of models was already evident. Advancements in capabilities and intelligence were the focus. But this incident shows that misuse-resilience did not advance in parallel. Are there built-in, traceable safeguards that trigger when a frontier model is asked to perform suspicious sequences of tasks? Before releasing a powerful model, what benchmark tests demonstrate that it will reliably follow these safeguards? Will a model automatically shift into a sandboxed, auditable mode when it is prompted to handle high-risk actions? And is there any enforced limit on how much autonomy a model can exercise when performing suspicious operations? Without clear answers, organizations are left with powerful systems in the wild, but no predictable way to protect themselves from their misuse.”

Noelle Murata, Sr. Security Engineer, Xcape, offers some suggestions for immediate response: “This highlights how agentic AI significantly lowers the bar for sophisticated, targeted attacks, effectively giving a single entity the capabilities of a full hacking team. Security professionals should anticipate agentic AI being used both offensively and defensively: they should tighten rate limits and anomaly detection on their own LLM endpoints, limit API keys and scopes, and monitor for scripted bursts indicative of model misuse. On the enterprise side, they should strengthen identity verification (FIDO2), reduce session/token durations, and watch for high-speed reconnaissance activity consistent with AI tools. Anthropic and external researchers also caution against overhyping these findings, as some claims are disputed. This emphasizes the importance of measurement and telemetry when implementing LLMs for sensitive workflows. The time for predictive AI defense is over; the future of cybersecurity is a real-time, autonomous AI war.”