Yesterday, Artificial Intelligence (AI) company Anthropic announced that it had detected and stopped a large AI-orchestrated cyber espionage campaign. Attackers chose targets while using Anthropic’s AI tools, and AI agents powered by Anthropic’s models attempted to compromise the targets without human involvement. Suspicious activity was first detected by Anthropic in mid-September. The company reports confidence that a Chinese state-sponsored group carried out the attack.
Attackers took advantage of the Model Context Protocol—a standard allowing AI to interface with other applications—to enable AI agents to infiltrate targets effectively. Anthropic’s Claude Code model interfaced with a browser to identify potential vulnerabilities in target systems. Open-source penetration testing tools, including network scanners and password crackers, supplemented the effort. The AI then generated payloads for attackers to deploy against targets. Anthropic indicates that human authorization occurred only when an attack reached readiness for active exploitation.
The attacker group also employed Claude after compromising a target for tasks such as filtering through databases and extracting valuable information, including account details. Anthropic notes that Claude performed 2-6 hours of work autonomously in some cases, as humans needed only to review the AI’s findings and recommendations before approving final data exfiltration.
Anthropic responded to the detected exploitation by banning the relevant accounts, notified affected entities, and coordinated with authorities. The company has improved its ability to detect and classify exploitation while prototyping new proactive detection methods for similar attacks. However, Anthropic anticipates that the barrier to performing sophisticated cyberattacks will continue to drop as models improve.
Anthropic explains that while its models make hacking more accessible, they can also prove crucial for cyber defense. The company states that Claude can “assist cybersecurity professionals to detect, disrupt, and prepare for future versions of the attack.” Anthropic even used Claude to analyze data generated during its investigation.
Anthropic’s full report on the attack is available here.