GTG-1002 — First Reported AI-Orchestrated Cyber Espionage Campaign

The first publicly disclosed APT-class campaign in which an AI agent — rather than a human operator — drove the majority of tactical operations. Disclosed by Anthropic in November 2025; attributed to a PRC-nexus state-sponsored group; mid-September 2025 activity window; ~30 organizations targeted.

What happened

The attacker operated multiple instances of Claude Code as autonomous penetration-testing orchestrators and agents. From the Anthropic disclosure: “the threat actor [was] able to leverage AI to execute 80–90% of tactical operations independently.” Targets spanned technology, finance, chemical, and government sectors across multiple countries. The campaign was disrupted by Anthropic’s abuse classifiers and Trust & Safety response.

Why it matters

Until GTG-1002, AI-orchestrated intrusion was a thought experiment in MITRE ATLAS adversary-emulation playbooks. After GTG-1002 it is a documented production threat. The campaign closes the empirical-validation gap on multiple long-standing concerns:

• Capability scaling: a single human operator coordinated ~30 simultaneous targets via AI orchestration — workforce-multiplication that classical APTs could not sustain.
• Time compression: tasks that previously took an APT operator days were collapsed into hours of agent execution.
• Adaptive behavior: the agent adjusted technique selection mid-campaign in response to defender response.

This is the canonical reference incident for Class 2 (long-running adaptive adversarial campaigns) in the wiki’s expanded threat model. It also operationalizes UK AISI’s prediction that “the length of cyber tasks that models can complete unassisted is doubling roughly every eight months.”

Defensive lessons

• Vendor-side controls disrupted the campaign. Anthropic’s abuse classifiers caught the agent activity. Customer-side controls would not have been sufficient on their own — model-vendor threat-intel sharing is now load-bearing for enterprise defenders.
• Behavioral baselines on agent tool-call patterns are the customer-side counterpart. An agent making 30 simultaneous reconnaissance-shaped tool calls looks different from a human operator’s pattern.
• Cross-version eval continuity matters because the attacker can probe across model versions to find which one allows the operation.

Mapping

• Threat class: Class 2 — Long-running adaptive adversarial campaigns
• OWASP ASI: ASI02 (Tool Misuse), ASI10 (Rogue Agents)
• MITRE ATLAS: adversary-emulation lineage
• CMM domains affected: D4 Runtime & Guardrails, D5 Egress & Network, D7 Observability & Detection, D9 Operations & Human Factors

Source

Disrupting the first reported AI-orchestrated cyber espionage campaign — Anthropic, November 2025.

See Also

• Agentic AI Threat Classes — 2026 Expansion
• Anthropic
• Meta Sev 1 AI Agent Breach — separate agentic-AI incident, different threat class
• ClawHavoc — supply-chain-attack incident anchor