Report 6671

Suspected Chinese operators used Anthropic's AI coding tool to target about 30 global organizations --- and had success in several cases, the company said Thursday.

Why it matters: This is the first documented case of a foreign government using AI to fully automate a cyber operation, Anthropic warned.

• Anthropic said the campaign relied on Claude's agentic capabilities, or the model's ability to take autonomous action across multiple steps with minimal human direction.

The big picture: The dam is breaking on state hackers using AI to speed up and scale digital attacks.

• Earlier this month, Google said Russian military hackers used an AI model to help generate malware for targeting Ukrainian entities. But that required human operators to prompt the model step by step.
• In this new case, Claude Code carried out 80-90% of the operation on its own, Anthropic said.

Zoom in: In a blog post Thursday, Anthropic said it spotted suspected Chinese state-sponsored hackers jailbreaking Claude Code to help breach dozens of tech companies, financial institutions, chemical manufacturers, and government agencies.

• The company first detected the activity in mid-September and investigated over the following 10 days.
• It banned the malicious accounts, alerted targeted organizations, and shared findings with authorities during that time period.
• A spokesperson for the Chinese embassy in the U.S. said in a statement that China "firmly opposes and cracks down on all forms of cyberattacks in accordance with law."
• "We oppose groundless attacks and slanders against China," the spokesperson added. "We hope that relevant parties will adopt a professional and responsible attitude when characterizing cyber incidents, basing their conclusions on sufficient evidence rather than unfounded speculation and accusations."

How it worked: The attackers tricked Claude into thinking it was performing defensive cybersecurity tasks for a legitimate company. They also broke down malicious requests into smaller, less suspicious tasks to avoid triggering its guardrails.

• Once jailbroken, Claude inspected target systems, scanned for high-value databases, and wrote custom exploit code.

• Claude also harvested usernames and passwords to access sensitive data, then summarized its work in detailed post-operation reports, including credentials it used, the backdoors it created and which systems were breached.

• "The highest-privilege accounts were identified, backdoors were created, and data were exfiltrated with minimal human supervision," Anthropic said in its blog post.

Threat level: As many as four of the suspected Chinese attacks successfully breached organizations, Jacob Klein, Anthropic's head of threat intelligence, told the Wall Street Journal.

• "The AI made thousands of requests per second --- an attack speed that would have been, for human hackers, simply impossible to match," the company said in its blog post.

Yes, but: Claude wasn't perfect. It hallucinated some login credentials and claimed it stole a secret document that was already public.

What to watch: This is likely just the beginning, cybersecurity experts have warned.

• Anthropic said it's strengthening its detection tools and warned that similar techniques could be used by less sophisticated threat actors going forward.

Go deeper: Anthropic pits Claude AI model against human hackers