AI Used as Part of Sophisticated Espionage Campaign

A cybersecurity inflection point has been reached in which AI models has become genuinely useful in cybersecurity operation. But to no surprise, they can used for both good works and ill will. Systemic evaluations show cyber capabilities double in six months, and they have been tracking real-world cyberattacks showing how malicious actors were using AI capabilities. These capabilities were predicted and are expected to evolve, but what stood out for researchers was how quickly they have done so, at scale.

In September, suspicious activity was detected and determined to be a highly sophisticated espionage campaign. The attackers used AI’s agentic capabilities to an unprecedented degree. AI was not just as an advisor, but would execute cyberattacks themselves.

It was determined that the threat actor was a Chinese state-sponsored group manipulated the Claude Code tool into attempting infiltration into roughly 30 global targets and succeeded in a small number of cases. The operation targeted and affected large tech companies, financial institutions, chemical manufacturing companies, and government agencies. Researchers believe this is the first documented case of a large-scale cyberattack executed without substantial human intervention.

Upon detecting this activity, an immediate investigation was launched to understand the scope and nature. Over the following 10 days, researchers mapped the severity and extent of the operation. Banned accounts as they were identified, notified affected entities as appropriate, and coordinated with authorities as we gathered actionable intelligence.

This campaign has substantial implications for cybersecurity in the age of AI “agents”—systems that can be run autonomously for long periods of time and that complete complex tasks largely independent of human intervention. Agents are valuable for everyday work and productivity—but in the wrong hands, they can substantially increase the viability of large-scale cyberattacks.

These attacks grow in their effectiveness. To keep pace with this rapidly-advancing threat, researchers have expanded detection capabilities and developed better classifiers to flag malicious activity. Researchers are continually working on new methods of investigating and detecting large-scale, distributed attacks like this one.

The case is being share publicly, and in the meantime, it is meant to help workers in industry, government and the wider research community strengthen their own cyber defenses. We’ll continue to release reports like this regularly and be transparent about the identified threats.

About the Author

Ralph C. Jensen is the Publisher/Editor in chief of Security Today magazine.

Featured

New Products

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.

  • Cover image for IDP ProCare

    IDP ProCare™ Premium Support Program

    Minimize downtime and secure uninterrupted credential production with priority technical support, overnight advanced unit replacements, and proactive system health reviews.

  • ADI Control4 product image

    ADI Control4® X4 & Control4® Connect

    Drive long-term system value and reduce post-installation friction with a visually redesigned control interface paired with a secure, future-ready smart service framework.