Artificial intelligence (AI) giant Anthropic has said that it disrupted a Chinese state-sponsored AI-led espionage campaign.
In the first of its kind of espionage campaign, a Chinese state-sponsored group used AI’s ‘agentic’ capabilities to execute cyberattacks and target tech companies, financial institutions, chemical manufacturing companies, and government agencies, according to Anthropic.
In a report released on Monday, Anthropic said that the threat actor —whom the company assessed with high confidence to be a Chinese state-sponsored group— manipulated its Claude Code tool into attempting infiltration into roughly 30 global targets and succeeded in a small number of cases.
For the first time ever, Anthropic said the threat actor used AI’s ‘agentic’ capabilities to turn it not just into an advisor but into the executor of cyberattacks. The company said it was the first documented case of a large-scale cyberattack executed without substantial human intervention.
After discovering the campaign in mid-September, Anthropic said it launched an investigation and mapped the severity and full extent of the operation.
As part of the company’s response, Anthropic banned accounts as they were identified, notified affected entities as appropriate, and coordinated with authorities as the investigation gathered actionable intelligence, the report said.
China is a world leader in cybercrimes. Estimates say that up to 30-40 per cent of cryberattacks originate in China. In the past few years, research has shown that Chinese state-sponsored cyberattacks have surged by up to 150 per cent. China has repeatedly attacked critical systems, such as government databases, energy utilities, technology companies, and financial networks, as part of its cyber campaign.
How AI can become spy
Anthropic said that cyber attackers used the advanced nature of AI to mount these attacks.
Currently, the AI has progressed to the level where AI models can follow complex instructions and understand context in ways that make very sophisticated tasks possible. Anthropic’s Claude’s unique coding capabilities made the tool particularly useful for this attack.
With such advance capabilities, AI models can act as ‘agents’, which refers to their ‘agentic’ capabilities, meaning that they can take functional autonomously with minimal human input. Self-driving cars are some real-life examples of such agentic capabilities.
Moreover, AI models have access to a wide array of software tools — often via the open standard Model Context Protocol. Instead of being mere chatbots, they can now search the web, retrieve data, and perform many other actions that were previously the sole domain of human operators.
Cybercriminals can use such tools —coupled with advanced intelligence capabilities and agentic abilities— to turn AI into password crackers, network scanners, and other security-related software.
How China turned Anthropic’s Claude into spy — step by step
The espionage campaign was a multi-phase affair that involved several layers, according to Anthropic.
The campaign was so automated that cybercriminals were able to use AI to perform 80-90 per cent of the campaign and were required to intervene only sporadically at perhaps four to six critical decision points per hacking campaign.
In the first phase, cybercriminals selected targets and developed an attack framework. This involved making a system built to autonomously compromise a chosen target with little human involvement. This framework used Claude Code as an automated tool for their campaign.
Cybercriminals convinced Claude that the tasks it was being told to perform were not harmful. This was key to going ahead with the campaign as Claude is otherwise believed to be trained to avoid indulging into nefarious activities.
Cybercriminals convinced Claude to engage in the attack by jailbreaking it. Essentially, they tricked it to bypass its guardrails. To do that, they broke down their attacks into small, apparently innocent tasks that Claude would execute without being provided the full context of their nefarious purpose.
As part of the ruse, cybercriminals told Claude that they were an employee of a legitimate cybersecurity firm and Claude was being used in defensive testing.
In the second phase, cybercriminals used Claude Code to inspect the target organisations’ systems and infrastructure and spotted the highest-value databases.
“Claude was able to perform this reconnaissance in a fraction of the time it would’ve taken a team of human hackers. It then reported back to the human operators with a summary of its findings,” the company said.
In the third phase, cybercriminals used Claude to identify and test security vulnerabilities in the target organisations’ systems by researching and writing its own exploit code. After that, they were able to use Claude to harvest usernames and passwords that allowed it further access and then extract a large amount of private data, which it categorised according to its intelligence value.
At this stage, cybercriminals used Claude to identify highest-privilege accounts, create backdoors, and extract data with minimal human supervision.
In a final phase, the attackers used Claude to produce comprehensive documentation of the attack, create helpful files of the stolen credentials and the systems analysed. These activities would have helped attackers in planning the next stage of their campaign.
As Claude took a fraction of time to perform many complex tasks —thousands of actions per second— the attackers were able to speed up their attack.
“The sheer amount of work performed by the AI would have taken vast amounts of time for a human team. The AI made an attack speed that would have been, for human hackers, simply impossible to match,” Anthropic said in the report.
However, Anthropic said that the work was not always perfect and Claude occasionally hallucinated credentials or claimed to have extracted secret information that was in fact publicly available. Ironically, these shortcomings of Claude became an obstacle to fully autonomous cyberattacks.
End of Article
