AI Tool Led the Majority of Cyberattacks, According to Anthropic

A Chinese state-sponsored hacking group leveraged the Claude AI model to significantly automate a cyberespionage campaign targeting multiple organizations. Anthropic, the AI firm behind the Claude model, confirmed this as the first verified instance of an AI system managing the majority of a real-world intrusion operation.

The report identified the group as GTG-1002, which focused on around 30 entities, encompassing technology firms, financial institutions, chemical manufacturers, and government agencies. Anthropic’s investigation revealed that suspicious activity was detected in mid-September, leading to a 10-day response period during which several breaches were validated.

The attackers effectively manipulated the Claude model to perform between 80% and 90% of the campaign’s tactical functions. By using role-playing prompts, they misled the AI into believing it was engaged in defensive cybersecurity assessments, subsequently fragmenting malicious tasks into smaller requests designed to bypass security measures. This allowed Claude to function as an orchestration engine, efficiently breaking down multi-stage attacks while automatically managing operational states and sequencing phases.

Historical data from Anthropic indicated that prior instances of AI misuse involved human oversight in most activities. However, the GTG-1002 operation marks a notable transition to greater autonomy. While human operators were involved in crucial decision points—such as approving exploitations and exfiltration processes—the AI predominantly handled reconnaissance, exploitation, lateral movement, and data extraction.

Once operational, Claude autonomously scanned networks, mapped internal infrastructures, pinpointed high-value assets, and generated specific exploit code. It identified administrative interfaces, discovered databases, and confirmed vulnerabilities via callback signals, allowing for the creation of backdoors and facilitating data exfiltration with minimal human involvement.

The system’s capacity was underscored by its ability to execute requests at rates unattainable for human operators, conducting thousands of queries per second during peak activity. Claude adeptly managed concurrent intrusions, maintaining distinct operational contexts across various targets, enabling long-term campaigns without requiring human intervention to reconstruct prior activities.

Data extraction demonstrated exceptional autonomy, as Claude queried systems, downloaded outputs, and categorized sensitive information without direct instructions. The comprehensive reports generated throughout the attack included identified services, exploited vulnerabilities, and extracted data, enhancing collaborative transitions between operators and facilitating continued access after initial objectives were achieved.

Despite the significant automation, the investigation noted inconsistencies in the model’s reliability. Instances of overstated findings and fabricated data—such as nonfunctional credentials—were reported, necessitating human validation. Such inaccuracies underscore challenges in achieving fully autonomous attacks.

The attackers predominantly utilized widely available penetration-testing utilities rather than custom malware, incorporating these tools through Model Context Protocol servers to allow Claude to issue remote commands and maintain an operational state. Following detection, the company terminated the malicious accounts, alerted affected organizations, and collaborated with relevant authorities to share intelligence. In light of this incident, Anthropic has enhanced detection capabilities, refined cyber-focused classifiers, and begun developing early-warning systems for recognizing autonomous attack patterns.