First AI-Orchestrated Cyber-Espionage: Claude Code Executed 80%+ of China-Linked Intrusion
A Chinese cyber-espionage group designated by Anthropic as GTG-1002 exploited the capabilities of the Claude Code model in an attempt to breach roughly thirty major corporations and government entities. This is the first documented instance in which an agentic artificial intelligence succeeded in reaching genuinely high-value targets within the scope of an intelligence operation. According to the developer, the attackers achieved success in select cases, though the company has not disclosed the extent of the damage.
The campaign began in mid-September and targeted technology conglomerates, financial institutions, chemical manufacturers and state agencies. Human involvement was limited to choosing targets and performing a final review of the AI’s actions; the full tactical workload was executed by a hierarchy of Claude sub-agents woven into a multi-layered system.
GTG-1002 employed a combination of Claude Code and the Model Context Protocol (MCP), which enables a model to interact with tools and execute commands that extend far beyond simple text dialogue. Using these components, the operators built a bespoke framework that distributed the stages of the attack across multiple submodules. Each agent handled its own segment of the operation: mapping infrastructure, performing scans, studying system configurations, uncovering weak points and determining practical avenues for exploitation.
Once the sub-agents composed exploitation chains and generated payloads, a human reviewed the results—usually within two to ten minutes—and authorised the next steps. The AI then moved into the subsequent phase, which included attempting to obtain and validate credentials, escalating privileges, moving laterally across the internal network and handling confidential data. In the final stage, the human intervened only to review and approve data exfiltration.
Anthropic analysts note that the threat was amplified by the attackers’ tactic of disguising their commands as benign technical tasks, assigning the model specific roles and workflows. As a result, Claude executed isolated elements of a malicious sequence without having visibility into the full context of the attack. This technique allowed the adversaries to circumvent built-in safeguards that typically flag high-risk actions when accompanied by an obvious malicious narrative.
Anthropic detected the activity, conducted an internal investigation, blocked associated accounts, notified affected organisations and relayed details to law-enforcement authorities. In the company’s assessment, the incident represents a new level of operational automation among state-aligned groups: they are now experimenting not merely with code generation or data analysis, but with orchestrating near-autonomous attacks.
The developers also recall that as early as August they observed extortion attempts in which criminals used Claude to pressure seventeen organisations. In that episode, AI assistance was present, but operators still performed much of the work manually. In the latest case, the degree of autonomous decision-making rose sharply—enough for Anthropic to describe it as “a significant escalation of the threat.”
Yet the attacks had their weaknesses. Like any large model, Claude exhibited hallucinations: it credited itself with successes that never occurred or “discovered” data that proved useless. At times, the model insisted it had obtained valid credentials, only for login attempts to fail. It occasionally presented widely known information as a critical breakthrough. Such errors forced operators to manually verify each pivotal action—an obstacle that, in Anthropic’s view, still prevents fully autonomous cyberattacks.
Even so, the episode illustrates how swiftly the field of agentic systems is advancing: GTG-1002 managed to construct an attack chain in which artificial intelligence performed the vast majority of operations—from reconnaissance to post-exploitation. For the security community, it is an unmistakable warning sign.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
