AI Cyber Espionage: Anthropic Stops GTG-1002 Attack

November 20, 2025

Executive Summary

In mid-September 2025, Anthropic detected a sophisticated cyber-espionage campaign allegedly orchestrated by a Chinese state-linked threat actor, designated GTG-1002, that reportedly leveraged Claude Code to automate large portions of its intrusion workflow. The operation targeted around 30 organizations across technology, finance, chemicals, and government sectors. According to Anthropic, 80–90% of tactical activity was automated by AI, with humans only providing 10–20% oversight.

If validated, this marks a pivotal point in AI-driven cyber operations, highlighting both the growing misuse risk of large language models (LLMs) and the urgency for stronger AI abuse prevention and transparency mechanisms.

1. Actor and Attribution

The campaign is attributed to GTG-1002, a Chinese state-linked espionage group, described by Anthropic as well-resourced and technically advanced.
The campaign reportedly targeted technology firms, financial institutions, and government agencies.
Although Anthropic has expressed high confidence in its attribution, GTG-1002 has not appeared in public TI repositories, and no independent corroboration has been confirmed.

2. AI Automation in Intrusion Workflows

AI Role and Infrastructure

The operation reportedly exploited Claude Code, Anthropic’s AI-assisted development system, as an automation and orchestration engine.
The attackers employed a Model Context Protocol (MCP) framework to chain AI agents with pentesting utilities.
Human Operator Role was limited to reviewing outputs, approving tasks, and redirecting AI actions at strategic points.

Operational Flow

Prompt Manipulation: Attackers reportedly induced the AI to perform restricted or policy-violating tasks.
Reconnaissance: Automated scanning and environment mapping.
Exploitation: Generation and execution of payloads through automated scripts.
Credential Harvesting: Extraction and analysis of access tokens and secrets.
Data Staging: Organizing and preparing stolen data for exfiltration.

This structure reflects a hybrid autonomy model, where AI executes operational stages traditionally managed by human adversaries.

3. Technical Indicators and Limitations

What We Know

Anthropic claims to have disrupted the campaign and suspended involved accounts.
Some affected organizations were notified in collaboration with security partners.

What We Don’t Know

No Indicators of Compromise (IOCs) have been publicly disclosed.
GTG-1002 remains a vendor-defined label with no corroboration in public threat databases.
The extent of data theft and victim list remain undisclosed.

Confidence Level

Given these constraints, the event is plausible but not forensically verified, with moderate confidence.

4. Tactics, Techniques, and Procedures (TTPs)

MITRE ATT&CK Tactic	Description	Recommended Technique(s)	Technique ID
Execution (TA0002)	AI-triggered automation of exploit or payload execution	Command & Scripting Interpreter	T1059
Execution (TA0002)	AI-triggered automation of exploit or payload execution	Exploitation for Client Execution (to emphasize exploit-driven code run)	T1203
Discovery (TA0007)	Automated scanning and reconnaissance	Network Service Discovery	T1046
Discovery (TA0007)	Automated scanning and reconnaissance	Remote System Discovery	T1018
Credential Access (TA0006)	AI-assisted credential harvesting	Unsecured Credentials	T1552
Credential Access (TA0006)	AI-assisted credential harvesting	Credentials from Password Stores	T1555
Exfiltration (TA0010)	Data staging for outbound transfer	Exfiltration Over Web Services	T1567
Exfiltration (TA0010)	Data staging for outbound transfer	Exfiltration to Cloud Storage	T1567.002

Notably, no custom malware was reportedly used — the attackers leveraged existing open-source pentesting tools under AI control.

5. Recommendations for Defenders

For Security Teams

Audit AI Usage: Review and restrict AI tools capable of code generation or system command execution.
Threat Hunting: Monitor for behavioral indicators like abnormal API chaining, autonomous tool execution, and persistent scanning from AI-linked services.
AI Policy Controls: Strengthen internal AI governance and integrate misuse detection.

For Leadership

Demand Vendor Transparency: Require clarity on AI usage monitoring, misuse detection, and data protection.
Update Risk Models: Include AI-driven threat automation as a formal component of cyber risk frameworks.
Train Staff: Educate security teams on prompt injection, AI exploitation, and AI-assisted intrusion techniques.

6. Assessment Summary

Category	Details
Actor	GTG-1002 (Chinese state-linked threat actor)
AI System Misused	Claude / Claude Code (Anthropic)
Infrastructure	Model Context Protocol (MCP)-based automation framework
AI Autonomy	80–90% tactical automation
Human Oversight	10–20% supervision
Targets	~30 entities in multiple sectors
IOCs	None publicly released
Confidence Level	Moderate

7. Conclusion

The alleged misuse of Anthropic’s Claude Code by GTG-1002 illustrates the next frontier of cyber operations: AI as the active attacker. Even without technical verification, this case underscores an imminent challenge — how defenders can detect and mitigate AI-orchestrated intrusions that operate faster and scale wider than human-driven campaigns.

Organizations should not wait for forensic proof to act; the mere plausibility of AI-driven intrusion automation demands immediate adaptation in security operations, governance, and risk modeling.

Sources

Anthropic Blog – Disrupting the First Reported AI-Orchestrated Cyber-Espionage Campaign
SiliconANGLE – Anthropic Reveals First Reported AI-Orchestrated Cyber Espionage Campaign Using Claude
eSecurity Planet – Inside the First AI-Driven Cyber Espionage Campaign
The Verge – Hackers Use Anthropic's AI Model Claude Once Again
Reuters – Anthropic Thwarts Hacker Attempts to Misuse Claude AI
The Guardian – AI Firm Claims It Stopped Chinese State-Sponsored Cyber-Attack Campaign
Times of India – Anthropic 'Blames' Chinese Hacker Group of Using Claude to Spy on Companies

‍