Anatomy of an Attack

The GTG-1002 campaign reported by Anthropic marks the definitive arrival of autonomous cyber operations.

This incident represents the first verified instance where an adversary deployed an AI agent to manage intrusions at scale, rather than using it merely as a passive assistant.

The Era of Agentic Cyber Operations

The operational model of this cyber attack represents a fundamental departure from traditional patterns where AI serves merely as an assistant.

Assumed to be carried out by a Chinese state-sponsored actor, the threat weaponized the Claude Code toolchain to allegedly execute 80 to 90 percent of the tactical work without human intervention. Human operators maintained minimal engagement and focused strictly on strategic oversight such as authorizing progression from reconnaissance to active exploitation or approving final data exfiltration. This division of labor allowed the attackers to achieve operational scales typically associated with nation state campaigns while investing only 10 to 20 percent of the total effort usually required.

The Model Context Protocol (MCP) drives this operational leap. This open standard functions as a universal translator that:

• Connects AI models directly to external data sources and technical tools.
• Empowers a model to move beyond simple text generation to actively manipulate files, databases, and command terminals.
• Transforms a standard chatbot into an agentic operator that reasons through problems and executes technical tasks to control complex IT environments.

The Attack: AI’s Role Throughout the Intrusion

The campaign progressed through six structured phases where AI autonomy increased while human oversight remained concentrated at strategic decision gates. Operators bypassed safety filters by social engineering the AI to believe it was conducting authorized defensive testing, limiting the human role to strategic direction while the AI managed the tactical execution.

• Phase 1: Campaign Initialization and Target Selection: Human operators input targets and convinced the AI it was performing defensive testing to launch the campaign. The AI established a persistent operational context across sessions spanning multiple days, ensuring its subsequent actions maintained a continuous understanding of the mission.
• Phase 2: Reconnaissance and Attack Surface Mapping: The AI conducted reconnaissance through browser automation to catalog infrastructure and map network topology across multiple targets simultaneously. It functioned as a high-speed execution engine, performing thousands of requests per second to quickly discover internal services and map the complex target environment.
• Phase 3: Vulnerability Discovery and Validation: It independently generated custom attack payloads and executed tests to validate exploits via callback systems. Leveraging its long-term recall, the AI maintained a structured record of all prior activities and discoveries, allowing it to generate custom payloads tailored to previously identified service configurations.
• Phase 4: Credential Harvesting and Lateral Movement: Autonomous execution continued as the system performed systematic credential collection and mapped privilege levels to access internal APIs and databases. The persistent memory allowed complex attacks to resume seamlessly without requiring human reconstruction of the operational status or target access paths.
• Phase 5: Data Collection and Intelligence Extraction: The AI parsed large volumes of extracted data, identified proprietary information, and categorized findings by intelligence value without detailed human direction. The system demonstrated extensive capability to operate without guidance, automatically analyzing the stolen data to identify its intelligence value and categorize the findings.
• Phase 6: Documentation and Handoff: The framework automatically generated comprehensive documentation to track attack progression, enabling seamless handoffs between operators and supporting strategic decision-making. The structured record-keeping inherent to the framework ensured that comprehensive, accurate documentation was generated in real-time, effectively eliminating the need for manual reporting.

The Adversary’s Playbook: MITRE ATT&CK TTPs and IOCs

The GTG-1002 actor relied overwhelmingly on open-source penetration testing tools and standard security utilities rather than custom malware to execute this campaign. This allows the adversary to evade traditional signature-based controls, yet the underlying behaviors remain detectable through network analysis.

The following table maps the specific MITRE ATT&CK tactics observed during the intrusion.

Table 1: MITRE ATT&CK TTPs and ExtraHop NDR Mitigation

Server-Side Request Forgery (SSRF) is a web security vulnerability that allows an attacker to force a server to make unauthorized requests to internal or external resources, effectively using the server as a proxy to access restricted systems behind the firewall.

How ExtraHop Detects AI-Orchestrated Espionage

Agentic AI campaigns like the GTG-1002 intrusion are not single events but multi-stage operations executed at machine speed.

The brief window between initial access and the final exfiltration of proprietary intelligence serves as the critical opportunity for defense. ExtraHop NDR provides the deep visibility required to detect these autonomous agents across every phase of the kill chain.

Comprehensive Network Visibility for AI Threats: Holistic visibility is the essential countermeasure to autonomous agents. ExtraHop NDR eliminates blind spots by performing line-rate decryption and deep protocol decoding, exposing the internal reconnaissance and custom exploit payloads. ExtraHop also uniquely detects the rogue agent by identifying orchestration traffic - the continuous connections made by the internal agent back to the external Large Language Model (LLM) services. This specific detection signal is often easier to spot than traditional C2 beaconing and allows security teams to sever the AI agent’s connection to its command structure immediately.

Comprehensive Network Visibility: Holistic visibility counters autonomous tactics effectively. ExtraHop decrypts and decodes protocols including the business applications and APIs that AI agents abuse for discovery and data theft. Security teams gain insight into encrypted traffic and eliminate blind spots that hide automated reconnaissance or credential misuse. The platform exposes the web browser automation and custom exploit payloads used by frameworks like Claude Code to access internal networks.

Behavioral Anomaly Detection: Advanced machine learning detects anomalous network activity in real time. The platform identifies early AI behaviors like high-volume reconnaissance scans or systematic vulnerability validation. It also surfaces mid-game tactics such as automated lateral movement and bulk data staging. ExtraHop identifies these high-speed signals and enables disruption of the AI agent before it completes its objective.

Forensic Analysis: High-fidelity forensics map the movement of AI agents after an incident. Teams utilize network data to trace exactly which internal services the AI enumerated and what proprietary data it accessed. Immutable packet records enable investigators to reconstruct the complex attack chains and automated decision trees generated by autonomous orchestration frameworks.

Real-time Threat Intelligence Integration: Correlated network activity delivers immediate context regarding external command structures. Integrations with threat intelligence enrich detections with indicators of compromise and adversary techniques. The system automatically flags connections to known malicious IPs or the callback services used by AI agents for out-of-band exploit confirmation.

Accelerated Incident Response: High-confidence alerts allow teams to respond faster to machine-speed threats. ExtraHop maps the attack path and identifies compromised assets immediately. This detail enables precise actions to isolate hosts and sever the connection between the internal AI agent and its external orchestration servers.

To learn more about the ExtraHop NDR platform, click here.