Anthropic disclosed a state-sponsored espionage campaign this week involving the group GTG-1002. The attackers utilized Anthropic’s agentic coding tool, Claude Code, to conduct reconnaissance and data exfiltration across roughly 30 global organizations. In this operation, an autonomous coding agent executed the kill chain with minimal human oversight.
This incident provides evidence that commercial AI can now function as attack infrastructure. It demonstrates that agentic workflows are powerful enough to execute attacks but brittle enough to be subverted by social engineering. The shift from models that suggest content to agents that execute actions introduces risks orders of magnitude more severe than simple chatbots. Organizations are connecting autonomous agents to internal networks without adequate controls.
The Mechanics of Persona Adoption
The attackers utilized social engineering against the underlying model rather than exploiting software vulnerabilities. By adopting a deceptive persona and instructing the coding agent that it was conducting a “defensive cybersecurity testing” exercise, they bypassed built-in safety model protection. The model accepted this fabricated context and executed malicious commands as authorized tasks.
Once the agent accepted the persona, it operated with high autonomy. Reports indicate the agent completed 80% to 90% of the attack sequence without human intervention. At peak intensity, the agent made thousands of requests. This operational tempo is critical not just for efficiency, but because it allows attackers to scale operations far beyond the physical limits of human operators, overwhelming manual defensive monitoring teams.
The attackers leveraged custom malicious Model Context Protocol (MCP) servers to interface with the target environment. These servers acted as wrappers for standard open-source penetration testing utilities (such as network scanners and password crackers) and browser automation tools for web reconnaissance. This architecture allowed the AI agent to autonomously drive commodity hacking tools to harvest credentials and map networks.
The Architecture of Autonomous Attacks
The attackers did not merely interact with the model; they embedded it within a custom autonomous attack framework. This infrastructure utilized Claude Code as a central orchestration engine to manage the operation. The framework broke broad objectives into discrete technical tasks, such as enumerating services, validating exploits, or parsing database schemas, which the agent executed sequentially.
This architecture enabled the system to complete approximately 80% to 90% of the tactical work without human intervention. The framework maintained operational state across multiple sessions, allowing the agent to parse large volumes of data and identify high-value targets independently. By automating the decision loop, the attackers turned standard open-source security tools into a coordinated weapon, achieving a velocity that renders manual defensive responses obsolete.
The Crisis of Identity: A Supercharged Insider
This campaign highlights a critical failure regarding the “Unauthenticated Workforce.” The danger is not just that agents lack identity; it is that they inherit the full, persistent permissions of the developer. An AI coding assistant running in a local environment typically possesses read/write access to source code repositories, deployment rights to CI/CD pipelines, and connectivity to internal databases.
The GTG-1002 attack demonstrated that the agent operates from within the perimeter using these valid entitlements. It did not need to hack the network; it simply used the keys it already held. From a system perspective, the malicious database queries and repository clones executed by Claude Code were indistinguishable from legitimate work.
Requirements for Agent Defense
Organizations deploying agentic workflows must update their AI security and governance strategies to address these new vectors of attack.
1. Solve the Crisis of Identity Security leaders must transition to a model of ephemeral, task-scoped credentials. Instead of persistent access, agents should receive temporary tokens to perform specific jobs. This ensures distinct non-human identities for auditability and enforces Least Privilege.
2. Secure the Communication Fabric (MCP) Attackers in the GTG-1002 campaign utilized the Model Context Protocol (MCP) to wrap malicious tools and execute remote commands. This creates a risk of “Trojan Tools” where attackers mask malicious capabilities behind innocent-sounding tool descriptions to trick the agent or user. Security architectures must include a dedicated runtime security layer that inspects all AI inputs and outputs in real-time to secure the pathways between agents and external systems, specifically blocking attempts to communicate with unregistered or malicious server endpoints.
3. Establish Cognitive Observability Traditional logging is insufficient for autonomous systems that generate thousands of low-fidelity alerts. Security teams need visibility into the agent’s “cognitive chain” to understand the why behind an action. This visibility is critical for detecting when an agent’s intent shifts from legitimate coding to unauthorized reconnaissance. Defense requires reconstructing the decision process to determine if an action was based on poisoned data or manipulated context.
4. Implement Active Runtime Defense Because human teams cannot react to machine-speed attacks executing multiple operations per second, organizations require an automated “braking system” for autonomous processes. This involves in-line controls that intercept an agent’s proposed actions before execution. If an agent attempts to execute a transaction that violates business logic or exhibits behavior consistent with massive data exfiltration, the system must block the action in real time without human intervention.
Scaling Security Beyond the Agent: The Unified Control Plane
Autonomous agents represent the newest and fastest threat vector, yet they remain just one component of a sprawling modern AI attack surface. The GTG-1002 campaign exposes the broader strategic risk of governance fragmentation.
Effective AI security requires organizations to govern four distinct pillars of activity simultaneously:
- Employees: The human workforce utilizing generative tools for productivity (Shadow AI).
- Applications: Embedded AI features and chatbots interacting with customers.
- Models: Proprietary models requiring protection from theft and poisoning.
- Autonomous Agents: The new digital workforce operating with privileged access.
Currently, organizations address these pillars with disconnected point solutions. They deploy DLP for employees, distinct scanners for models, and separate runtime tools for applications. This siloed approach creates dangerous visibility gaps; you cannot enforce a unified policy if your employee governance tool cannot see the traffic generated by your autonomous agents.
To scale safely, enterprises require a unified security, governance and control plane for enterprise AI. This architecture allows security teams to define policy once—such as “Prevent PII Exfiltration“—and enforce it universally across every employee, model, application, and agent in the ecosystem.
Architecting Trust for the Autonomous Enterprise
The GTG-1002 campaign is not just a wake-up call; it is definitive proof that in the age of autonomous agents, security cannot remain blind to context. The attackers succeeded not by breaking encryption or exploiting zero-days, but by weaponizing intent to warp a helpful tool into a relentless insider threat. Organizations must embed deep intent-based understanding into a single unified control plane, and provide the essential defense capable of distinguishing between a developer’s legitimate work and an agent’s rogue behavior across the entire attack surface.
We have codified the strategic thinking behind it in our comprehensive whitepaper, Beyond the Prompt: Architecting Trust for Autonomous AI Agents.