Built Environment & Infrastructure Risk Management
-
Search
Anthropic’s recent disclosure of the GTG-1002 campaign marks a pivotal moment in the cyber threat landscape. For the first time, a commercially available AI system reportedly executed the majority of a complex cyber espionage operation. This real-world example of AI moving from assistant to operator raises urgent questions for organisations about resilience, governance and defence.
In September 2025, US artificial intelligence company, Anthropic, detected a nation state-linked group using its Claude Code agentic coding tool to run a large-scale cyber espionage campaign. Roughly 30 organisations across multiple sectors were targeted. According to Anthropic, AI executed roughly 80–90% of the attack chain, with humans reportedly providing only high-level guidance and oversight rather than hands-on tradecraft.
The techniques were familiar – reconnaissance, living off the land, lateral movement, data exfiltration – but the orchestration model was not. Instead of a team of operators working system by system and tool by tool, an AI agent chained together tools, adapted to the target network environment and iterated in near real time. This operation demonstrates that commercially available, general-purpose AI can now shoulder most of the labour of an advanced persistent threat (APT) grade operation. Despite occasional hallucinations requiring human correction, the potential for radical efficiency gains for threat actors is clear.
Historically, complex cyber espionage campaigns have been constrained by human capital. Running multi-year, multi-target operations required teams with significant resources and diverse skills, from targeting through to intrusion, malware development, operational security and data analysis. Agentic AI has lowered that barrier. Now, a small group of skilled individuals can direct scalable, synthetic operators that execute large parts of the killchain on demand. Anthropic’s previous threat report already documented a criminal actor using Claude Code to automate rapid reconnaissance, credential theft and penetration across at least 17 organisations for data extortion. Although challenges still persist in full automation of cyber operations, the speed and scale afforded by existing commercial AI models is unprecedented.
As the marginal cost of running campaigns, testing exploits and tasking operators moves towards near-zero with agentic AI, the prevalence of APT-level operations will soar. Several recent government assessments echo this current trajectory: the UK’s National Cyber Security Centre (NCSC) has warned that AI services lower barriers to entry, increase the number of capable actors and boost the scale and speed of attacks.
The OODA loop – Observe, Orient, Decide, Act – has become shorthand in military and cyber circles, defining the race to respond faster than your adversary. Agentic AI tilts that race. Systems like Claude Code can execute thousands of tasks – scans, queries, code generation, configuration changes – in the time a human analyst can run a handful of commands. Anthropic’s extortion case and GTG-1002 illustrate a new reality in the threat landscape. Once primed, AI agents rapidly enumerated assets, tested vulnerabilities, harvested credentials and proposed next steps, while humans mostly adjusted prompts and reviewed outputs.
Real-world attacks are still bound by network latency and tool speed, and defenders are integrating AI into detection and response. But a structural asymmetry persists: attackers can tolerate trial and error; defenders cannot. If one AI-driven exploit attempt fails, the cost to the attacker is trivial. If a defender’s AI system misclassifies a critical incident, the cost can be catastrophic. Unless defensive systems evolve beyond AI-assisted tickets to autonomous triage, containment and playbook execution, their OODA loops risk being outpaced.
Perhaps the most concerning detail in the GTG-1002 case was its obfuscation. By integrating Claude Code with the Model Context Protocol (MCP) – an open standard that lets AI agents call external tools and data sources as if they were native – the attackers made their agent operate almost exactly like a legitimate developer or administrator. There were no malicious binaries or noisy malware, just commands issued through legitimate, often privileged interfaces using standard utilities.
To a traditional Security Operations Centre (SOC), much of this traffic looks like routine activity or defensive testing, exposing a known blind spot in defensive architecture. Most security systems are optimised to catch anomalous code, suspicious processes or unusual network flows. They are far less mature at detecting anomalous intent. This blind spot, which has long been exploited in living off the land techniques, is now automated.
Security researchers have already flagged design risks in MCP and similar frameworks; GTG-1002 demonstrates that these risks are real. In this sense, the insider many organisations need to worry about is not only a disgruntled employee, but a highly privileged agent making credible-looking decisions at machine speed.
For now, the limitations of current models available to threat actors maintain some barriers to the full democratisation of the capability. Anthropic noted that in GTG-1002, Claude hallucinated, misinterpreted context and at times made flawed decisions. This helped limit the campaign’s impact, as human operators had to step in to correct course.
However, leaders should see this friction as temporary. Research already shows large language models (LLMs) generating polymorphic malware, adaptive phishing content and obfuscated scripts designed to evade static detection. As models improve at self-correction, tool-use and multi-step planning, the hallucinations of today will give way to deliberate, systemic exploration and adaptive probing of attack surfaces.
Future agents are likely to:
When that happens, the contest shifts from code-versus-code to logic-versus-logic: adversarial interaction between autonomous systems, each trying to shape the other’s behaviour.
GTG-1002 is not the first reported AI-assisted attack, but it marks a turning point. A state-linked group, using an off-the-shelf frontier model, orchestrated a multi-target espionage campaign in which AI executed most of the work. This, alongside Anthropic’s earlier disruption of a fully AI-orchestrated extortion operation, suggests that agentic capabilities are already embedded in both state and criminal tradecraft.
For organisations, the implication is clear: AI can no longer be treated solely as a productivity or efficiency tool. Deployed at scale, AI systems become semi-autonomous actors with their own attack surfaces, failure modes and misuse scenarios. They demand the same level of threat modelling, red teaming and governance that an organisation would apply to any privileged insider.
Equally, defending against agentic threats will require more than refined playbooks and more staff in the SOC. It will require building:
In the coming years, the most resilient organisations will be those that can field good agents – aligned, supervised and embedded in resilient architectures – to contest hostile ones. Human judgment will remain critical, but increasingly through the design, deployment and control of agents acting on our behalf.