AI firm claims Chinese spies used its tech to automate cyber attacks
11–17–2025 (Monday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, November 17, 2025, and while I’m really, really trying not to make a habit out of it, we’re going to have to talk about AI and cybersecurity again this week, but with a twist.
Before we dive into the specifics, I do think this is emblematic of many (most?) industries right now - struggling to contextualize just exactly how AI might impact it, and when, struggling, then careening from one FUD-based article to the next.
I’m going to continue my attempts at tempering the Fear, Uncertainty, and Doubt, and focusing on the things that I think we should be focusing on instead.
But first: what a headline.
AI firm claims Chinese spies used its tech to automate cyber attacks
Seemingly taking up nearly all of the cyber oxygen last week was a report by AI company Anthropic, makers of Claude, that they “caught hackers sponsored by the Chinese government using the tool to perform automated cyber attacks against around 30 global organisations.”
The actual headline from Anthropic is even more sensational, titled “Disrupting the first reported AI-orchestrated cyber espionage campaign.”
The post itself is quite detailed, but essentially lays out exactly the steps you’d take to both bypass the safety protocols baked into public LLM models and carry out a cyber attack. They broke it down into steps, identified the target, scanned for weaknesses, captured credentials, moved laterally, elevated privileges, and ultimately identified and exfiltrated sensitive data.
Notably, however, the attack used a framework leveraging Model Context Protocol servers (or MCPs) that were developed by a significant amount of human effort and expertise in cyber attacks.
But, importantly, the attackers here kept the human in the loop - and it also experienced hallucinations:
“An important limitation emerged during investigation: Claude frequently overstated findings and occasionally fabricated data during autonomous operations, claiming to have obtained credentials that didn’t work or identifying critical discoveries that proved to be publicly available information. This AI hallucination in offensive security contexts presented challenges for the actor’s operational effectiveness, requiring careful validation of all claimed results. This remains an obstacle to fully autonomous cyberattacks.”
Still, the lead of Anthropic’s threat intelligence team had this to say:
“I think what’s occurring here is that the human operator is able to scale themselves fairly dramatically,” Klein said. “We think it would have taken a team of about 10 folks to conduct this sort of work, but you still need a human operator. That’s why we said it’s not fully automatic or fully agentic.”
Coverage from Ars Technica notes “Another reason the results aren’t as impressive as they’re made out to be: The threat actors—which Anthropic tracks as GTG-1002—targeted at least 30 organizations, including major technology corporations and government agencies. Of those, only a “small number” of the attacks succeeded. That, in turn, raises questions. Even assuming so much human interaction was eliminated from the process, what good is that when the success rate is so low? Would the number of successes have increased if the attackers had used more traditional, human-involved methods?”
While it would be tempting to ask why, exactly, Chinese threat actors used an American model in Claude, when plenty of powerful, open-source models built in China are available, it’s perhaps less important than pairing this advancement of orchestration and significant human capability acceleration with the pace that new vulnerabilities are being exploited.
Coverage from TheHackerNews now claims that more than half of the newly discovered vulnerabilities in the CISA KEV - or Known Exploited Vulnerabilities catalog - are weaponized within 48 hours.
Pair this with the automation that LLMs are offering attackers, and the real focus we need to have is ramping up our ability to respond. Can you patch as fast as they can weaponize? Because that’s essentially the race condition that we’re facing today - and the advantage absolutely lies with the attackers.
So, as usual here on this show, let’s focus on the basics - including inventory and patching capabilities, along with strong controls around identities, the edges of our networks, and be thinking about how we can continue to make it harder for these sort of exploits to take down our environments.
Fundraising
From a fundraising perspective, a very solid week with more than $22.5B in newly committed capital, led by Neuberger Berman who raised $7.3b for its fifth private credit fund and Diameter Capital Partners, who closed their third dislocation fund at $4.5b.
To close out the AI theme, much discussion of who has sold their entire stake in Nvidia this week (including Softbank and Peter Thiel), but what that means remains anybody’s guess.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and now sign up for our monthly newsletter, the Intentional Dispatch.
We’ll see you next week for another edition of the Intentional Brief.
Links
https://www.bbc.com/news/articles/cx2lzmygr84o
https://www.anthropic.com/news/disrupting-AI-espionage
https://cyberscoop.com/anthropic-ai-orchestrated-attack-required-many-human-hands/
https://www.nytimes.com/2025/11/14/business/chinese-hackers-artificial-intelligence.html
https://thehackernews.com/2025/11/when-attacks-come-faster-than-patches.html