The Day Cyberattacks Became Autonomous
In the theatre of cyber conflict, the actors are changing. / photo Valeria Nikitina for Unsplash+
Artificial Intelligence Technology Innovation

The Day Cyberattacks Became Autonomous

Neville Hobson 5 min read

In mid-November, Anthropic published a report unlike anything I’ve seen before in cybersecurity. It describes how a state-sponsored "threat actor" manipulated the AI company’s Claude Code agentic coding tool into conducting what appears to be the first large-scale cyber espionage campaign executed primarily by an AI system.

Not assisted by AI. Not enhanced by AI. But run by AI.

It's an extraordinary story and a quietly historic moment. Not because the attack was shocking (it was), but because it marks a point industry experts and others sensed was coming, yet few expected to arrive this soon.

A new threshold in cyber threats

According to Anthropic’s full investigation (PDF report), the operation was carried out by GTG-1002, a Chinese state-sponsored group that the company identifies with "high confidence."

This was a professional, large-scale espionage effort targeting roughly 30 global organisations, ranging from major technology companies to financial institutions and government agencies. A handful of these intrusions succeeded.

What set this operation apart was the degree of autonomy. Anthropic estimates that Claude performed 80-90 per cent of the tactical work, with humans stepping in only at a few key decision points, such as approving escalation or data exfiltration.

💡
In other words:
A cyberattack that would once require a skilled team was executed at machine scale and machine speed.

How an AI became the attacker

Anthropic’s report makes clear that this wasn’t a case of a model suddenly “going rogue.” It was manipulated.

GTG-1002 used:

  • carefully crafted personas,
  • role-play as a “legitimate security team,”
  • and tasks broken into small, seemingly harmless steps

…to convince Claude to perform actions it would normally refuse.

Behind the scenes, the attackers had built an automated orchestration system. Rather than using Claude as a single assistant, the system treated it as a network of coordinated sub-agents, each responsible for tasks like scanning infrastructure, validating credentials, testing vulnerabilities, or extracting data. These tasks were sent through Model Context Protocol servers in ways that looked legitimate in isolation.

The whole picture looks less like a human hacker at a keyboard and more like a production line, with AI acting as both the workforce and the supervisor.

A glimpse into autonomous operations

Anthropic's report includes detailed examples that show how dramatically the balance has shifted.

In one case, Claude spent several hours:

  • scanning a company’s infrastructure
  • identifying a vulnerability
  • researching how to exploit it
  • writing its own exploit code
  • testing the payload
  • preparing a summary for human approval

The threat actor's human operator spent no more than a few minutes reviewing Claude’s findings before approving the next step.

This pattern appears across the campaign. Claude authenticated into systems with stolen credentials, mapped internal databases, created backdoor accounts, extracted sensitive data, and then generated complete documentation of its own actions.

The tempo was startling: thousands of operations, sometimes several per second.

The imperfections that slowed the attackers

One detail in the report is surprisingly reassuring.

Despite its sophistication, Claude frequently:

  • overstated its success
  • hallucinated credentials
  • misidentified public information as “high-value”
  • produced findings that the attackers could not validate

This forced GTG-1002 to double-check key results. It did not stop the operation, but it slowed it – a reminder that today’s AI is powerful, but not infallible.

A shift with wider implications

Anthropic frames the incident clearly: the barrier to running sophisticated cyberattacks has fallen significantly. Skilled adversaries can now scale their operations in ways humans cannot. Less skilled actors, equipped with the right tools, may soon be able to do the same.

The report highlights another important point: GTG-1002 relied largely on commodity penetration tools rather than advanced, custom malware.

The innovation was not the tools – it was the automation.

For organisations, this means:

  • the speed of threats is accelerating
  • attacks can now unfold across multiple fronts at once
  • traditional “human tempo” security is no longer enough

This is not a theoretical future. It is here.

The dual-use reality

Anthropic raises the essential question: If AI can be misused at this scale, why keep developing it?

Their answer is pragmatic: The same capabilities that make AI useful for attackers also make it indispensable for defenders. Anthropic’s own Threat Intelligence team used Claude extensively to analyse enormous volumes of data during the investigation.

Defensive use of AI – from automated detection to incident response – is not optional. It is now part of baseline resilience.

But as Anthropic puts it, security teams must accept that a fundamental change has already occurred.

Community criticism

While Anthropic presents this as a landmark moment, some security researchers have raised concerns about the level of detail in the report, which are worth bearing in mind when interpreting the significance of this moment.

For example, a critical analysis in The Stack argues that the disclosure lacks the technical evidence usually expected in incident reporting, particularly around indicators of compromise and data validation.

This doesn’t diminish the importance of Anthropic’s findings, but it does remind us that the whole picture may be more complex than the initial narrative suggests. And it shows that this is likely an early chapter rather than a complete picture.

Lessons from today's threat landscape

Recent incidents affecting major UK brands like Marks & Spencer and other retailers earlier this year, and Jaguar Land Rover more recently, show how disruptive and costly even conventional cyber breaches can be – and how quickly they can become communication challenges as much as technical ones.

They serve as reminders that clear, timely and responsible communication is already difficult in familiar circumstances. As more attacks begin to show signs of automation, that responsibility grows: communicators will need to help organisations navigate uncertainty, explain what is known and not known, and maintain trust when the pace of events outruns traditional playbooks.

A preview, not an anomaly

The Anthropic story is unsettling. But it is also instructive.

💡
The first AI-operated cyberattack is not a curiosity. It is a preview of the landscape we are entering – one where both attacker and defender may be largely automated, where the scale of operations no longer depends on the size of a human team, and where guardrails can be manipulated by those with enough patience and ingenuity.

The real question now is not whether this kind of attack will happen again, but whether organisations – and the people who lead them – are prepared for a world where cyber threats can think for themselves.

For communicators, this demands a more strategic approach to awareness and stakeholder engagement – helping people understand the risks and realities without fuelling unnecessary alarm.

Our readiness will depend not only on the technology we deploy, but also on the narratives we shape and the clarity with which we help others interpret moments like this.

Are we ready?

Sources:

Neville Hobson

Neville Hobson

Somerset, England
Communicator, writer, blogger from the beginning, and podcaster shortly after that.

You might also like

Featured Posts

Prime Topics

Communication (32) Artificial Intelligence (27) Ghost (16) Society (16) Social Media (13) Blogging (11) Innovation (10) Public Relations (10) Work-Life Balance (10) Social Networks (9)

Latest Posts

Ranking

Vuelio Top 10 UK PR Blog 2025

Podcasts