Chinese Hackers Use Anthropic's AI to Launch Automated Cyber Espionage Campaign Summary:
Summary:
State-sponsored threat actors, assessed with high confidence to be Chinese state-sponsored, successfully employed the advanced Anthropic AI, specifically, manipulating the Claude Code tool, to execute their espionage objectives in a campaign observed in mid-September 2025. This campaign is notable for reportedly being the first recorded instance of a large-scale cyberattack leveraging AI's "agentic" capabilities, using AI not merely as an assistant tool, but as an autonomous method of executing sophisticated attacks against high-value targets without the need for substantial human intervention.
The campaign targeted approximately 30 entities globally, including technology, financial, chemical manufacturing, and government sectors, with a subset of the total attempted intrusions succeeding. The attackers abused Claude Code to support nearly every stage of the attack chain, including reconnaissance, vulnerability discovery, exploitation, lateral movement, and data exfiltration. The human operators' role was significantly reduced, focusing on initial setup and strategic authorization decisions at perhaps 4-6 critical escalation points (e.g., approving exploitation). Anthropic estimates the AI executed 80-90% of the tactics in the operations, independently, at an "unprecedented request rate" during the attacks. The system achieved this by receiving malicious tasks as "routine technical requests" to bypass the AI's safety protocols. The attackers relied on publicly available tools rather than custom malware. In the last stages of the attacks, the adversary was observed leveraging Claude to produce comprehensive documentation of their attacks. Anthropic has since banned the responsible accounts and implemented defensive measures.
Security Officer Comments:
Despite its overall sophistication, Anthropic’s investigators noted a limitation with this campaign: the AI's tendency to "hallucinate", fabricating data that it considered to be extracted credentials or sensitive information, but was actually publicly available data. This created roadblocks to the overall scheme's effectiveness. Roadblocks that threat actors are likely to overcome in the near future. This campaign confirms a critical shift in the threat landscape: agentic AI has dramatically lowered the barrier to entry for performing highly sophisticated cyber espionage, becoming more than just an assistant tool. Despite this being a cluster of state-sponsored activity, the AI’s ability to execute complex, multi-stage attacks with minimal human oversight (80-90% autonomously) means that less notable, less-resourced groups can now potentially perform large-scale compromise originally reserved for well-funded nation state actors. Their minimal reliance of proprietary tooling or development of advanced exploits highlights the cybercriminal ecosystem’s significant shift towards the use of an amalgamation of commodity malware. While the AI's "hallucination" tendency currently remains a notable weakness, the overall increase in efficiency is substantial, enabling threat actors to operate at physically impossible request rates and effectively act as an entire team of experienced hackers nearly handsfree. This is a well-timed reminder that an immediate focus on defensive mechanisms specifically tailored to counter autonomous AI agents is paramount.
Suggested Corrections:
https://thehackernews.com/2025/11/chinese-hackers-use-anthropics-ai-to.html
https://www.anthropic.com/news/disrupting-AI-espionage
PDF: https://assets.anthropic.com/m/ec212e6566a0d47/original/Disrupting-the-first-reported-AI-orchestrated-cyber-espionage-campaign.pdf
State-sponsored threat actors, assessed with high confidence to be Chinese state-sponsored, successfully employed the advanced Anthropic AI, specifically, manipulating the Claude Code tool, to execute their espionage objectives in a campaign observed in mid-September 2025. This campaign is notable for reportedly being the first recorded instance of a large-scale cyberattack leveraging AI's "agentic" capabilities, using AI not merely as an assistant tool, but as an autonomous method of executing sophisticated attacks against high-value targets without the need for substantial human intervention.
The campaign targeted approximately 30 entities globally, including technology, financial, chemical manufacturing, and government sectors, with a subset of the total attempted intrusions succeeding. The attackers abused Claude Code to support nearly every stage of the attack chain, including reconnaissance, vulnerability discovery, exploitation, lateral movement, and data exfiltration. The human operators' role was significantly reduced, focusing on initial setup and strategic authorization decisions at perhaps 4-6 critical escalation points (e.g., approving exploitation). Anthropic estimates the AI executed 80-90% of the tactics in the operations, independently, at an "unprecedented request rate" during the attacks. The system achieved this by receiving malicious tasks as "routine technical requests" to bypass the AI's safety protocols. The attackers relied on publicly available tools rather than custom malware. In the last stages of the attacks, the adversary was observed leveraging Claude to produce comprehensive documentation of their attacks. Anthropic has since banned the responsible accounts and implemented defensive measures.
Security Officer Comments:
Despite its overall sophistication, Anthropic’s investigators noted a limitation with this campaign: the AI's tendency to "hallucinate", fabricating data that it considered to be extracted credentials or sensitive information, but was actually publicly available data. This created roadblocks to the overall scheme's effectiveness. Roadblocks that threat actors are likely to overcome in the near future. This campaign confirms a critical shift in the threat landscape: agentic AI has dramatically lowered the barrier to entry for performing highly sophisticated cyber espionage, becoming more than just an assistant tool. Despite this being a cluster of state-sponsored activity, the AI’s ability to execute complex, multi-stage attacks with minimal human oversight (80-90% autonomously) means that less notable, less-resourced groups can now potentially perform large-scale compromise originally reserved for well-funded nation state actors. Their minimal reliance of proprietary tooling or development of advanced exploits highlights the cybercriminal ecosystem’s significant shift towards the use of an amalgamation of commodity malware. While the AI's "hallucination" tendency currently remains a notable weakness, the overall increase in efficiency is substantial, enabling threat actors to operate at physically impossible request rates and effectively act as an entire team of experienced hackers nearly handsfree. This is a well-timed reminder that an immediate focus on defensive mechanisms specifically tailored to counter autonomous AI agents is paramount.
Suggested Corrections:
- Assume that a fundamental change has occurred in the cybersecurity threat landscape due to AI capabilities.
- Expand and improve detection capabilities, specifically to account for novel threat patterns and the sustained, high-rate requests characteristic of autonomous attacks.
- Demo proactive early detection systems designed to identify autonomous cyber attack operations.
- Actively experiment with applying AI for defense in critical areas such as SOC automation, threat detection, vulnerability assessment, and incident response.
https://thehackernews.com/2025/11/chinese-hackers-use-anthropics-ai-to.html
https://www.anthropic.com/news/disrupting-AI-espionage
PDF: https://assets.anthropic.com/m/ec212e6566a0d47/original/Disrupting-the-first-reported-AI-orchestrated-cyber-espionage-campaign.pdf