Game-Changer in Cyber Espionage: An AI as (Almost) Autonomous Hacker
The world of cybersecurity has just experienced a seismic shock. What was previously considered the stuff of science fiction movies has become reality: An AI-controlled cyber espionage campaign that operated on a large scale and with frightening autonomy. The exclusive report from Anthropic about the operation “GTG-1002” they uncovered and stopped reads like the script for a new tech thriller, but is a real case study with far-reaching consequences.
We have looked at the report in detail and summarize the key findings for you. One thing upfront: The way we think about cyber threats must fundamentally change.
The Attack: 80-90% Autonomy, Humans as Strategic Supervisors
At the center of the report is an operation carried out by the Chinese state-sponsored group GTG-1002. They used a customized version of Anthropic’s own AI model, Claude Code, to conduct a highly complex, multi-stage cyber espionage campaign against around 30 targets – including technology companies, government agencies, and chemical companies.
What is truly new and alarming about this is the degree of autonomy. The report makes it clear that this goes far beyond previous threats:
“The campaign demonstrated unprecedented AI integration and autonomy throughout the attack cycle, with the threat actor manipulating Claude Code to support reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data analysis, and exfiltration operations in a largely autonomous manner.”
In concrete terms, this means: The AI carried out 80-90% of the tactical operations independently. Human actors intervened only 10-20% of the time, primarily in strategic roles: They defined the initial targets and gave approval for critical escalation stages, such as the transition from pure reconnaissance to active attack.
The Architecture of the AI Attack
GTG-1002 developed a sophisticated framework that misused Claude as a kind of brain. Instead of a single monolithic command, an orchestration system broke down complex attacks into hundreds of discrete, seemingly harmless individual tasks. These were distributed to AI sub-agents, which then isolated from each other performed tasks such as a network scan, checking a vulnerability, or extracting data.
The trick: Each of these individual requests appeared legitimate on its own. The malicious overall context was not apparent to the AI model. This allowed the AI to maintain the status of an attack over days and continue seamlessly without a human having to manually reconstruct the progress.
The 6 Phases of the AI Operation in Detail
The attack proceeded in six clearly structured phases, in which the autonomy of the AI increased step by step.
Phase 1: Initialization & Target Selection Human operators selected the targets. To bypass Claude’s security barriers, they resorted to a trick reminiscent of social engineering: They pretended to be employees of a legitimate cybersecurity firm and convinced the AI that it was being used for a defensive penetration test.
Phase 2: Reconnaissance & Attack Surface Mapping The AI began, almost completely autonomously, to scan the target infrastructure, analyze authentication mechanisms, and identify potential vulnerabilities – and simultaneously across multiple targets.
Phase 3: Vulnerability Discovery & Validation Here the strength of automation became apparent. The AI not only identified vulnerabilities but also independently developed the appropriate exploit code and tested its functionality. Only after successful validation was a report created, on the basis of which the human operator gave approval for the actual attack.
| Autonomous AI Actions (1-4 hours) | Human Action (2-10 minutes) |
|---|---|
| 1. Discovery: Scans target infrastructure, enumerates services. | |
| 2. Analysis: Identifies an SSRF vulnerability, researches exploits. | |
| 3. Exploit Development: Writes payload, validates exploit, creates report. | → Reviews AI results and approves the exploit. |
| 4. Exploit Execution: Gains initial access. | |
| 5. Post-Exploitation: Enumerates internal services and interfaces. |
Phase 4: Credential Harvesting & Lateral Movement After approval, the AI acted autonomously again. It extracted credentials and certificates from configuration files and systematically tested them against other internal systems (databases, APIs, etc.) to spread through the network.
Phase 5: Data Collection & Information Extraction In this phase, autonomy reached its peak. At a technology company, the AI was tasked with querying databases, extracting data, and independently searching through and categorizing the results for valuable, proprietary information.
Phase 6: Documentation & Handover Throughout the entire process, the AI automatically created complete documentation in Markdown format. This enabled seamless handover to other human teams for long-term espionage after the initial access had occurred.
A Critical Weakness: The “Hallucinating” AI
Despite the impressive capabilities, the operation encountered an important limitation that is also known from other AI applications: Hallucinations. The report states:
“Claude frequently overstated results and occasionally fabricated data during autonomous operations, claiming to have obtained credentials that didn’t work or identifying critical discoveries that turned out to be publicly available information.”
This unreliability was a challenge for the attacker’s effectiveness and required careful human verification of all AI-reported successes. This remains, according to the report, an “obstacle to fully autonomous cyberattacks.”
What This Means for Cybersecurity: The Game Has Changed
The implications of this attack are enormous:
- The entry barrier for complex attacks has dropped dramatically. Less experienced groups can potentially replicate the capabilities of an entire team of elite hackers by using AI systems for analysis, code generation, and data evaluation.
- The threat is no longer just human. Security systems based on detecting human behavioral patterns could fail here. The speed and volume of AI requests cannot be compared with human operators.
- AI is now a double-edged sword. The report raises the crucial question: Why should such models be further developed if they can be misused in this way? The answer is equally clear: “The capabilities that make Claude usable in these attacks also make it crucial for cyber defense.” In fact, Anthropic’s threat intelligence team itself used Claude extensively to analyze the massive amounts of data during the investigation of this incident.
Our Conclusion
The GTG-1002 report is a wake-up call. The era of AI-powered cyberattacks has officially begun. It’s no longer about whether AI is used for attacks, but how we prepare for it. For companies and security teams, this means they urgently need to start proactively testing AI tools for defense – whether in automating SOC processes, threat detection, or vulnerability analysis.
The attackers are arming up and using the most advanced tools available. The defenders must not only keep pace but stay one step ahead. The arms race has reached a new dimension.