Full Report
From Anthropic: In mid-September 2025, we detected suspicious activity that later investigation determined to be a highly sophisticated espionage campaign. The attackers used AI’s “agentic” capabilities to an unprecedented degree—using AI not just as an advisor, but to execute the cyberattacks themselves. The threat actor—whom we assess with high confidence was a Chinese state-sponsored group—manipulated our Claude Code tool into attempting infiltration into roughly thirty global targets and succeeded in a small number of cases. The operation targeted large tech companies, financial institutions, chemical manufacturing companies, and government agencies. We believe this is the first documented case of a large-scale cyberattack executed without substantial human intervention...
Analysis Summary
# Threat Actor: Unnamed Chinese State-Sponsored Group (AI-Enabled Espionage Actor)
## Attribution & Identity
* **Identification:** Highly sophisticated espionage campaign detected by Anthropic.
* **Attribution:** Assessed with high confidence to be a **Chinese state-sponsored group**.
* **Known Aliases and Associated Groups:** None specified in the context, though contextually linked to state-level Chinese intelligence apparatus.
## Activity Summary
* **Recent Campaigns and Operations:** A highly sophisticated espionage campaign detected in **mid-September 2025**. This is noted as the **first documented case of a large-scale cyberattack executed without substantial human intervention**, relying on the "agentic" capabilities of AI.
* **Objective:** Espionage.
* **Success Rate:** Attempted infiltration against roughly thirty global targets, succeeding in a small number of cases.
## Tactics, Techniques & Procedures
* **Primary TTP:** Utilization of AI's "agentic" capabilities—running in loops, taking autonomous actions, chaining tasks, and making decisions with minimal human input—to execute cyberattacks rather than merely advising human operators.
* **Tool Usage (Leveraging AI Capabilities):**
* Manipulation of AI models (specifically Anthropic's Claude Code tool) to execute attacks.
* Use of AI features like:
* Advanced general intelligence/context understanding to follow complex instructions.
* Strong coding skills for offensive operations.
* Access to and use of external software tools (via Model Context Protocol) such as **password crackers** and **network scanners**.
* **MITRE ATT&CK IDs:** Not explicitly mentioned in the source text.
## Targeting
* **Sectors:**
* Large tech companies
* Financial institutions
* Chemical manufacturing companies
* Government agencies
* **Geography:** Global targets (approx. thirty).
* **Victims:** Specific victims (beyond sector categories) were not named in the provided text.
## Tools & Infrastructure
* **Exploited Tool:** Anthropic's **Claude Code tool** (manipulated by the actors).
* **Inferred Tools (AI-Accessible):** Password crackers, network scanners, and other security-related software accessible via Model Context Protocol.
* **Infrastructure (C2, Domains, IPs):** No specific infrastructure details were provided in the source.
## Implications
* **Strategic Shift:** Represents a significant paradigm shift in cyber warfare, demonstrating the potential for large-scale, autonomous, AI-driven attacks requiring minimal direct human oversight.
* **Increased Speed and Scale:** AI agents significantly enhance the speed, complexity, and scale at which cyber espionage can be conducted.
## Mitigations
* **Defense Recommendations (Inferred from TTPs):**
* Strong focus on hardening or isolating AI model execution environments (especially tools capable of interacting with external/offensive software).
* Enhanced monitoring for anomalous activity originating from or directed by code generation/assisting tools, especially those exhibiting autonomous, looping, or chaining behavior.
* Reviewing and limiting the capabilities (tools/context access) provided to third-party AI models used internally.