China State-Backed Hackers Used AI To Launch First Massive Cyberattack: Anthropic

Anthropic said Thursday it had disrupted what it called the first large-scale cyberespionage operation driven largely by AI, underscoring how quickly advanced agents are reshaping the threat landscape.

In a blog postAnthropic said a Chinese state-sponsored group used its Claude Code, a version of Claude AI that runs in a terminal, to launch intrusion operations at a speed and scale that would be impossible for human hackers.

“This case validates what we shared publicly at the end of September,” said an Anthropologist spokesperson Decrypt. “We’re at an inflection point where AI is significantly changing what’s possible for both attackers and defenders.”

The spokesperson added that the attack “likely reflects how threat actors are adapting their operations across frontier AI models, moving from AI as advisor to AI as operator.”

“Attackers used AI”agent‘ ability to an unprecedented degree – using AI not only as an advisor, but to execute cyberattacks themselves,” the company wrote in its post.

Large technology companies, financial institutions, chemical manufacturing companies and government agencies were targeted, Anthropic said, with the attack carried out by a group of the company marked GTG-1002.

How it happened

According to the investigation, the attackers lost Claude in performing technical work on the targeted systems, framing the work as routine for a legitimate cyber security firm.

Once the model accepted the instructions, it performed most of the steps in the intrusion lifecycle on its own.

Although it did not specify which companies were targeted, Anthropic said 30 were targeted, and that a small number of those attacks were successful.

The report also documented cases in which the compromised Claude mapped internal networks, located high-value databases, generated exploit code, established backdoor accounts, and pulled sensitive information with little direct supervision.

The objective of the operations seems to have been the collection of intelligence, focused on the extraction of user credentials, system configurations and sensitive operational data, which are common objectives in espionage.

“We are sharing this case publicly to help those in industry, government and the wider research community strengthen their own cyber defences,” the spokesperson said.

Anthropic said the AI ​​attack had “substantial implications for cybersecurity in the age of AI agents.”

“There is no fix to avoid 100% jailbreaks. It will be a constant battle between attackers and defenders,” said USC Computer Science professor and Sahara AI co-founder Sean Ren. Decrypt. “Most modeling companies like OpenAI and Anthropic have invested major efforts in building internal red teams and AI security teams to improve the security of models from malicious uses.”

Ren pointed to AI becoming more mainstream and capable as key factors enabling bad actors to engineer AI-led cyberattacks.

The attackers, unlike “vibe hacking” before attacks that rely on human direction, were able to use AI to carry out 80-90% of the campaign, with human intervention needed only sporadically, the report said. For once, the AI ​​hallucinations mitigated the damage.

“Claude didn’t always work perfectly. He occasionally faked credentials or claimed to have extracted secret information that was in fact publicly available,” Anthropic wrote. “This remains an obstacle for fully autonomous cyberattacks.”

Anthropic said it expanded detection tools, strengthened cyber-focused classifiers, and began testing new methods to spot autonomous attacks earlier. The company also said it published its findings to help security teams, governments and researchers prepare for similar cases as AI systems become more capable.

Ren said that while AI can do great damage, it can also be harnessed to protect computer systems: “With the scale and automation of cyberattacks advancing through AI, we have to leverage AI to build warning and defense systems.”