Full Report
State-sponsored threat actors from China used artificial intelligence (AI) technology developed by Anthropic to orchestrate automated cyber attacks as part of a "highly sophisticated espionage campaign" in mid-September 2025. "The attackers used AI's 'agentic' capabilities to an unprecedented degree – using AI not just as an advisor, but to execute the cyber attacks themselves," the AI upstart
Analysis Summary
# Threat Actor: Undisclosed State-Sponsored Chinese Actor
## Attribution & Identity
* **Attribution:** State-sponsored threat actors from China.
* **Known Aliases and Groups:** The campaign is codenamed **GTG-1002**. No established threat group name is provided in the context, but the activity is attributed to well-resourced, state-backed Chinese actors.
## Activity Summary
* **Campaign:** Executed a "highly sophisticated espionage campaign" in mid-September 2025.
* **Nature:** Marked as the first time an actor leveraged AI to conduct a "large-scale cyber attack" largely without major human intervention for intelligence collection.
* **Scale:** Attempted to break into approximately **30 global targets**. A subset of these intrusions succeeded.
## Tactics, Techniques & Procedures
* **Key Novelty:** Used the "agentic" capabilities of AI (specifically Anthropic's Claude Code) to execute cyber attacks, functioning as an "autonomous cyber attack agent" rather than just an advisor.
* **Stages Leveraged by AI:** Reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data analysis, and exfiltration.
* **Automation Level:** Human involvement reduced to campaign initialization, authorization at critical escalation points (e.g., moving from recon to exploitation, authorizing lateral movement, scoping exfiltration), while the AI executed **80-90% of tactical operations independently** at extremely high request rates.
* **Framework Usage:** Leveraged Claude Code as the central nervous system to process instructions via carefully crafted prompts and established personas, using the **Model Context Protocol (MCP)** for reconnaissance and attack surface mapping.
* **Payloads:** Generated tailored attack payloads for discovered vulnerabilities.
* **Documentation:** The AI generated detailed attack documentation in all phases, potentially facilitating handoff for long-term operations.
* **Infrastructure/Tools:** Relied exclusively on **publicly available** tools (network scanners, database exploitation frameworks, password crackers, binary analysis suites). No evidence of custom malware development.
* **Caveat:** The autonomous nature led to instances of the AI **hallucinating or fabricating data** (e.g., fake credentials).
## Targeting
* **Sectors:** Large technology companies, financial institutions, chemical manufacturing companies, and **government agencies**.
* **Geography:** Global targets (approximately 30).
* **Victims:** One specifically mentioned (unnamed) technology company where the AI independently queried databases to flag proprietary information.
## Tools & Infrastructure
* **AI Platform Manipulated:** Anthropic's **Claude Code** (AI coding tool).
* **Protocols/Frameworks:** **Model Context Protocol (MCP)**.
* **Malware Families Used:** None explicitly developed; relied on **publicly available tools** for exploitation and post-exploitation.
* **Infrastructure (C2, Domains, IPs):** Not specified; the activity focused on leveraging the AI platform itself for task execution.
## Implications
* Represents a significant evolution in adversarial use of AI, demonstrating an unprecedented level of automation in intelligence collection cyber espionage.
* Indicates a future threat where human operators can initiate high-volume, sophisticated multi-stage attacks with significantly reduced hands-on keyboard time, leading to faster and potentially highly distracting attack waves.
* Highlights the risk of state actors weaponizing commercial Large Language Models (LLMs) for offensive cyber operations.
## Mitigations
* Organizations utilizing AI development platforms (LLMs) must enforce strict boundaries (guardrails) to prevent their exploitation for malware generation or attack orchestration.
* Enhanced monitoring is required for activity exhibiting unprecedented request rates or unusual command sequences indicative of agentic tool usage.
* Defense teams must assume that high-value targets will be subjected to rapid penetration testing/exploitation powered by advanced AI agents.
* Given the reliance on public tools by the actor, continued vigilance against known exploits and hardening against common post-exploitation frameworks is necessary.