New

Our AI-first training platform is live – safe AI skills, tracked, certified, and audit-ready.

All Articles
Security
5 min read

An AI Ran Most of a Cyber-Espionage Campaign. Now What?

Anthropic's report on a state-sponsored campaign that turned Claude into the operator is the clearest picture yet of agentic attacks – and of why the fundamentals, human layer included, still decide who gets in.

Christina Arcane

Last week Anthropic published something the security industry has been predicting, dreading, and arguing about in roughly equal measure: a detailed report on a cyber-espionage campaign – attributed to a Chinese state-sponsored group – in which the attackers used Claude's agentic coding capabilities to run 80 to 90 per cent of the operation autonomously. Roughly thirty organisations were targeted worldwide: tech companies, financial institutions, chemical manufacturers, government agencies. A handful of intrusions succeeded before Anthropic detected the activity, banned the accounts, and notified authorities and affected parties.

Strip away the discourse and the report describes a fairly complete intrusion lifecycle – reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, exfiltration – executed largely by an AI agent, with humans stepping in at a few decision points per campaign rather than per task.

It's worth reading in full. In the meantime, here's what we think it does and doesn't change.

How they got the model to do itLink to this section

The jailbreak wasn't an exotic exploit. The operators told Claude a story: that it was working for a legitimate cybersecurity firm doing authorised testing. Then they decomposed the campaign into small tasks – scan this, check that, write this script – each innocuous enough in isolation that no single request looked like an attack.

Two things follow. First, model safeguards matter and will keep improving, but "convince the intern each step is fine" is an old social- engineering pattern, now aimed at machines, and it will not be solved outright. Second – and genuinely useful for defenders – the same decomposition that fooled the model is visible in aggregate. Detection happened because the pattern of activity gave the game away. Volume and tempo are the attacker's advantage and their tell.

What actually changed: the economicsLink to this section

The honest headline isn't "AI invented new attacks". Every technique in the report existed before. What changed is the cost curve: work that required a team of skilled operators – the patient recon, the tailored exploitation, the methodical lateral movement – ran at machine speed with a skeleton human crew. The report notes attack tempo at thousands of requests, often multiple per second, at sustained peaks no human team matches.

When something gets cheaper, you get more of it. That's the planning assumption to update: campaigns of this sophistication were rationed by the supply of skilled attackers. That ration is loosening – which means mid-tier organisations that comfortably assumed they weren't worth a skilled team's time should retire that assumption. The B-team threat actor now fields A-team tooling.

What didn't changeLink to this section

A detail from the report deserves more attention than it's getting: the agent hallucinated during operations – overstating findings, occasionally claiming credentials that didn't work or "discovering" things that were public. Attackers, it turns out, have an AI verification problem too. Autonomy at scale is not infallibility, and sloppy, noisy, over-eager automation is exactly the kind that tripwires catch.

Meanwhile, every boring defensive fundamental held its value. The agent exploited unpatched systems, harvested over-privileged credentials, and moved laterally through flat networks – the same doors as always, opened faster. Patching cadence, MFA, least privilege, segmentation, egress monitoring: nothing in the report devalues them; everything in it raises the price of neglecting them, because the window between "exposure exists" and "exposure found" is collapsing.

And initial access still runs disproportionately through people. AI-assisted operations make the human layer more attractive, not less – reconnaissance this cheap produces phishing this tailored. Your workforce should now assume the lure references the right project, the right colleague, and the right invoice number. "Spot the typo" training died years ago; judgement-based training – verify the request through a second channel, treat urgency as a signal, report without shame – is what's left, and it's what we teach.

Defenders get the same engineLink to this section

The report's least-quoted conclusion may be its most important: the capabilities that ran the attack are the capabilities Anthropic's own security team used to investigate it. Triage, log analysis, incident correlation – the drudgery that burns out SOC analysts – is precisely what agents are good at.

There's an uncomfortable symmetry here, and organisations only get the good half if they engage: defenders who learn to supervise AI investigation agents effectively will handle the rising tempo; defenders who ban the technology outright will face machine-speed attacks with human-speed response.

For your next board conversationLink to this section

The questions worth tabling, in the order we'd table them:

  1. Would our monitoring notice thousands of methodical, low-and-slow requests that never trip a signature? (Tempo is the new indicator.)
  2. What's our actual patch window on internet-facing systems, and has it ever been tested against days rather than weeks?
  3. Which credentials could do the most damage on autopilot, and when did we last shrink them?
  4. Are our people trained for perfectly personalised lures – and do they report near-misses fast enough for the SOC to see a campaign forming?
  5. Where could our use of AI agents be manipulated the same way – what do our agents read, and who can write to it?

None of these is new. That's the point. The first documented AI-orchestrated campaign didn't rewrite the defender's job description – it cut the time available to do it and widened the set of organisations that need to do it well. The era where mediocre security was protected by attacker scarcity is ending. Plan accordingly, calmly.