ZAP // NightCafe Studio
Chinese spies instructed Claude, LLM at Anthropic, to attack nearly 30 critical organizations in what the company describes as the first AI-orchestrated cyberespionage campaign. Some attacks were successful.
Allegedly Chinese cyber spies resorted to Claude Codegive , to try infiltrate digitally in about 30 large relief companies and government bodies.
According to a report released this Thursday by the North American company, autonomous AI Agents, created by cyber spies who were supported by the Chinese State, “on some occasions managed to penetrate” in the computer systems of the attacked entities, says .
The operation, conducted in mid-September, targeted large technology companies, financial institutionschemical product manufacturers and government agencies.
Although the choice of targets was made by humans“this is the first documented case of AI Agents with behaviors aimed at gaining access to high-value targets for information gathering purposes, including large technology companies and government bodies”, reads the 13-page threat report, which Anthropic made public.
The case is also further proof that attackers continue to test the using AI to conduct offensive operationsand suggests that well-funded and state sponsored are evolving rapidly in automation of attacks.
Anthropic identifies the Chinese group responsible for the campaign as GTG-1002 and claims that its operators used the Claude Code and the Model Context Protocol to execute the attacks without human intervention in the tactical phase.
The operational structure, created by humans, allowed Claude to coordinate attacks in multiple phases, later executed by several subagents from Claude himself, each responsible for specific tasks.
Among these tasks were map attack surfacesinspect infrastructures, identify vulnerabilities and investigate exploitation techniques.
After creating chains of exploration and custom malicious payloadss, a human operator spent between two and ten minutes reviewing the work AI before authorizing the next steps.
ClaudeCode’s subagents then began to credential validationescalation of privileges, movements within networks and access and subsequent theft of sensitive information.
In the post-exploration phase, the human operator was again limited to reviewing the AI results before approving the final data collection.
“Presenting these tasks to Claude as routine technical requeststhrough carefully crafted instructions and defined personasthe threat agent managed to induce Claude to run individual components of attack chains without having access to the malicious context broader”, says the report.
After detecting the operation, Anthropic claims to have initiated an investigation that led to the blocking of associated accountscomplete mapping of the campaign, notification of affected entities and coordination with authorities.
These attacks are “a significant worsening” in light of the report published by the company in August, which described how criminals had used Claude in a data extortion operation that hit 17 organizations and where ransoms of between 75 thousand and 500 thousand dollars were demanded for the stolen data.
In this case, however, “humans clearly remained in charge“, according to the company. “While we anticipated that these capabilities would continue to evolve, what surprised us most was how quickly this happened and the scale achieved”, highlights the new analysis from Anthropic.
There is, however, a slightly positive point in the way the operation went: Claude had episodes of hallucination during the attacks and claimed better results than those actually obtained.
AIA”often exaggerated findings and sometimes invented data during autonomous operations”, forcing the human operator to validate all conclusions.
Among these hallucinations were claims that he had obtained credentialswhich then did not work, or identified critical discoveries that, in reality, corresponded only to public information.
Anthropic considers that these gross errors by AI Agents represent “an obstacle to fully autonomous cyberattacks” — at least for now.
