Chinese cyberspies used the Claude Code AI tool to hack into about 30 major companies and government agencies, in what Anthropic called the first cyberespionage campaign driven by artificial intelligence.
Chinese cyberspies used the Claude Code AI tool to hack into about 30 major companies and government agencies, in what Anthropic called the first cyberespionage campaign driven by artificial intelligence.
According to Anthropic, the cyber operation, which took place in mid-September, targeted large technology companies, financial institutions, chemical manufacturers, and government agencies, The Register writes .
Although the target selection was done by humans, cybersecurity experts Anthropic believe this is “the first recorded case of an agent-based AI successfully accessing confirmed high-value intelligence-gathering targets, including large technology corporations and government agencies.”
According to the company, the Chinese state-backed group GTG-1002 is behind this espionage campaign. The attackers used Claude Code and MCP to carry out attacks without human tactical intervention.
The human-developed framework used Claude to orchestrate multi-stage attacks, which were then executed by multiple Claude sub-agents, each performing specific tasks. These tasks included identifying attack zones, scanning infrastructure, identifying vulnerabilities, and finding methods to exploit them.
After the subagents developed exploit chains and targeted payloads, a human spent two to ten minutes reviewing the results of the AI's actions and giving permission for subsequent attacks.
The subagents then went about their work of retrieving and verifying credentials, escalating privileges, moving around the network, accessing and stealing sensitive data. The human then only had to review the AI’s work one more time before approving the final data extraction.
“By presenting these tasks to Claude as standard technical requests using well-crafted prompts and created personas, the attacker managed to get Claude to execute individual stages of the attack chain without understanding the overall malicious plan,” the report says.
Anthropic says that after discovering the attacks, it launched an investigation that resulted in the blocking of related accounts, establishing the full scope of the operation, notifying affected parties, and coordinating with law enforcement.
However, there is a small positive point: during the attacks, Claude hallucinated and claimed better results than the evidence showed.
The AI “often exaggerated results and sometimes falsified data during autonomous operations,” requiring a human operator to verify all data received. Among these hallucinations were Claude’s claims of receiving credentials that did not work or identifying critical discoveries that actually turned out to be publicly available information.
Anthropic claims that such errors are “a barrier to fully autonomous cyberattacks.”
