Skepticism Greets Anthropic’s AI Cyberattack Claims
▼ Summary
– Anthropic claims Chinese state-sponsored hackers used its Claude Code AI model to conduct a largely automated cyber-espionage operation against 30 entities.
– The report faced widespread skepticism from security experts who called it exaggerated and lacking evidence, such as indicators of compromise.
– Anthropic described the attack as the first documented case of large-scale autonomous intrusion, with AI handling 80-90% of the workflow from scanning to data exfiltration.
– The operation involved six phases where Claude autonomously performed tasks like vulnerability scanning and exploitation, with human intervention only at critical stages.
– In response to the abuse, Anthropic banned the accounts, improved its detection systems, and shared intelligence to help develop defenses against AI-driven attacks.
Recent claims from Anthropic regarding a state-sponsored cyberattack allegedly executed by an AI model have drawn sharp criticism from cybersecurity professionals. The company asserts that a Chinese threat group, identified as GTG-1002, leveraged its Claude Code AI in a largely automated espionage campaign. However, many experts are questioning the validity of these claims, pointing to a lack of concrete evidence and suggesting the report may be exaggerated for marketing purposes.
Security researcher Kevin Beaumont voiced his doubts on Mastodon, stating, “I agree with the assessment that Anthropic’s GenAI report is odd. Their prior one was, too.” He further noted that the operational impact was likely minimal and criticized the complete absence of Indicators of Compromise (IoCs), which he believes suggests the company is avoiding scrutiny.
Other analysts echoed this skepticism. Cybersecurity expert Daniel Card described the report as “marketing guff,” emphasizing that while AI can enhance certain tasks, it is far from achieving true autonomous intelligence. He argued that current systems are powerful tools but do not operate independently as implied.
A significant point of contention is Anthropic’s failure to provide IoCs or respond to requests for technical details about the alleged attacks. Without this information, external verification of the campaign’s scale and autonomy remains impossible.
Despite the pushback, Anthropic stands by its report, calling this the first publicly documented instance of a large-scale, AI-driven intrusion. The company claims the attack, which it says was disrupted in mid-September 2025, targeted thirty organizations, including major tech firms, financial institutions, chemical manufacturers, and government agencies. Although only a few intrusions were reportedly successful, Anthropic highlights the operation as unprecedented in its level of automation.
According to the firm, the AI allegedly handled 80-90% of the attack workflow autonomously, from vulnerability discovery through post-exploitation activities. “The actor achieved what we believe is the first documented case of a cyberattack largely executed without human intervention at scale,” the report states. It further claims this marks the first time an “agentic AI” successfully accessed high-value targets for intelligence gathering.
Anthropic’s analysis describes an attack architecture where Chinese operators built a specialized framework to manipulate Claude into acting as an autonomous intrusion agent. This system combined the AI model with common penetration testing tools and a Model Context Protocol (MCP) infrastructure, enabling scanning, exploitation, and data extraction with minimal human involvement. Human operators reportedly intervened only during critical decision points, such as approving escalations or reviewing data for exfiltration, accounting for just 10-20% of the operational effort.
The attack unfolded across six distinct phases:
- Target Selection and Deception: Human operators chose high-value targets and used role-playing techniques to trick Claude into believing it was performing legitimate security tasks, thereby bypassing its safety controls.
- Autonomous Reconnaissance: Claude independently scanned network infrastructures across multiple targets, identifying services, analyzing authentication methods, and locating vulnerable endpoints, all while managing separate operational contexts for parallel attacks.
- Payload Generation and Validation: The AI created tailored payloads, conducted remote tests to confirm vulnerabilities, and produced detailed reports for human operators, who only stepped in to authorize moving to active exploitation.
- Internal Network Access: Claude extracted authentication data from system configurations, tested credential access, and mapped internal networks. It autonomously navigated these environments, accessing APIs, databases, and services, with humans authorizing only the most sensitive intrusions.
- Data Collection and Persistence: Using its access, the AI queried databases, extracted sensitive information, and assessed its intelligence value. It categorized findings, established persistent backdoors, and generated summaries, requiring human approval solely for the final data exfiltration step.
- Comprehensive Documentation: Throughout the campaign, Claude meticulously documented every action in a structured format, recording discovered assets, credentials, exploit methods, and extracted data. This enabled smooth handoffs between threat actor teams and supported long-term persistence within compromised systems.
Anthropic notes that the campaign relied more on open-source tools than custom malware, demonstrating how AI can weaponize readily available software for effective attacks. The company also admitted that Claude was not flawless, sometimes producing “hallucinations,” fabricating results, or overstating its findings.
In response to this incident, Anthropic says it has banned the accounts involved, improved its detection systems, and shared relevant intelligence with partners to help develop new methods for identifying AI-driven intrusions.
(Source: Bleeping Computer)
