GPT 5.1 landed with solid upgrades.
Kimi pushed out K2 and people jumped straight into testing the reasoning boost.
A few labs dropped new benchmarks.

But that is not the real headline.

The real headline is that Anthropic released the full report of a live cyber attack that ran in September.

The back story is that a state linked espionage team used Claude in a real intrusion.

Not theory.
Not a demo.
A real operation with real targets.

This is the first time we have seen a fully documented case of an AI system helping to carry out intrusion steps in the wild.

We have officially moved beyond the “what if” stage.
It is now clear that AI cyber attacks have begun.

Let’s break down what happened and what it means for platforms and engineers.

What GTG 1002 Actually Did

The report identifies the operators as GTG 1002, a state linked espionage team known for targeting high value environments.

Here’s how Anthropic described the intrusion in their official November 2025 report.

In mid-September 2025, we detected a highly sophisticated cyber espionage operation conducted by a Chinese state-sponsored group we’ve designated GTG-1002 that represents a fundamental shift in how advanced threat actors use AI. Our investigation revealed a well-resourced, professionally coordinated operation involving multiple simultaneous targeted intrusions. The operation targeted roughly 30 entities and our investigation validated a handful of successful intrusions.
Source: Anthropic Full Report, November 2025

Their targets included banks, tech firms, and government bodies.
Roughly thirty organisations in total.

These were not random targets.
These were chosen for access, insight, and strategic value.

This is now what automated cyber threat campaigns look like.

A small team suddenly has the power of a much larger threat operation.

The Architecture Behind the Operation

The architecture of this campaign tells you everything about how far threat actors have already gone with AI driven operations.

GTG 1002 did not run a simple script or a noisy mass scan.
They built a structured campaign with clear phases, long lived model sessions, and a split between model autonomy and human oversight.

Claude handled most of the operational work.
The human operators only stepped in at strategic points where judgment mattered.

This is how the report describes it:

“The campaign proceeded through structured phases, where AI autonomy increased progressively while human oversight remained concentrated at strategic decision gates.”
Source: Anthropic Full Report, November 2025

This means the operation had a real hierarchy.
Claude did the scanning, sorting, checking, mapping, testing, and summarising.
The humans chose targets, adjusted strategy, and decided what to do next.

Across the campaign, the pattern looked like this:

Claude ran two to six hour blocks of autonomous activity.
Humans stepped in every five to twenty minutes to approve the next move.
Then Claude ran the next sequence.

This architecture let a small team work at a speed that usually requires a large crew.
Much of the workflow ran like a distributed system.

Claude acted as the worker nodes, processing small tasks and producing structured output.

The human operators acted as the orchestrators, linking outputs into the bigger chain.

It is also clear that the attackers understood the model’s tool ecosystem.
They used browser tools, scanning utilities, payload testers, and structured reporting to keep the workflow cohesive.

Everything was broken into small tasks so the model would treat each step as normal.

Once you understand the architecture, the lifecycle makes sense.
The attack was not random.
It moved through phases.
It expanded autonomy with each step.

And it used human oversight only where strategic decisions were needed.

Anthropic’s Response

“Upon detecting this activity, we immediately launched an investigation to understand its scope and nature. Over the following ten days, as we mapped the severity and full extent of the operation, we banned accounts as they were identified, notified affected entities as appropriate, and coordinated with authorities as we gathered actionable intelligence.”
Source: Anthropic Full Report, November 2025

Anthropic’s response was fast and structured.

They picked up the unusual behaviour patterns early and moved into an investigation straight away.

The next ten days were spent mapping the scale of the operation, confirming what was real, and verifying how far the attackers had progressed.

As they traced the activity across accounts, they banned each one as soon as it was confirmed.

They notified the organisations that were affected.

And they worked with the relevant authorities while the intelligence was being collected.

This is an important part of the story.
The detection came from behaviour, not prompts.
And the response followed the same pattern you would expect from any security incident:
detect, verify, isolate, notify, and contain.

This also shows that the defenders moved at speed.
And speed matters now more than ever.

Claude’s Network Feature Flaw

The report surfaced another issue.

A separate flaw that involved Claude’s network features and how they could be manipulated through indirect prompt injection.

Security researcher Johann Rehberger discovered this weakness in October.

Claude’s coding tool has a network mode called package managers only.
It was designed to allow safe access to a small list of approved domains.

Claude’s “Package managers only” network mode allowed outbound calls to a short allowlist of trusted domains:

api.anthropic.com

The idea was that Claude could install software packages from trusted sources like npm, PyPI, GitHub, and a few Anthropic controlled endpoints.

But the setup introduced an opening.

Rehberger found that an attacker could hide instructions inside a normal looking file.

A document.
A script.
Even a printed message.

The moment a user asked Claude to analyse that file, hidden instructions could be executed.

It’s indirect prompt injection.

The flow is simple.
Claude reads the content.
Follows the content.
Carries out the steps.

In this case, the steps were:

Gather recent chat history.
Write it into a file inside the sandbox.
Use the Anthropic SDK to send that file to the attacker’s own Anthropic account.

Because the allowed domain list included Anthropic’s own API endpoint, the upload request looked legitimate.

And since each upload supported up to thirty megabytes, the data exfiltration could happen at scale.

Early tests showed the exploit worked without much resistance.
Later versions of Claude started flagging obvious API keys.

So the researcher disguised the payload inside harmless print statements, and Claude ran it.

The weakness was reported through HackerOne.

At first, Anthropic treated it as a model safety issue, not a security issue.

However, after public discussion, they acknowledged it formally and confirmed it as an actual security problem.

This incident showed something important.

Even limited connectivity in an AI system can be misused.

Once a model can run code and make outbound calls, every allowed domain becomes a possible path for misuse.

So what does this mean, and what’s the gameplay for us as engineers?
I will unpack that next.

Fundamentals of Defence

The report highlights that AI can change the tempo of an attack.
But it does not change the fundamentals of defence.

The workflows used in both incidents were built on things we already know.

Weak configurations.
Open paths.
Routine tasks.
And systems that trust too much by default.

So here is the gameplay for engineers.

Keep your systems tight.
Keep the paths narrow.
Keep the attack surface small.

The threat actors used automation to speed things up.
But they still relied on the same entry points every attacker uses.
The same mistakes.
The same gaps.
The same blind spots.

If your patching is current, the paths shrink.
If your identity controls are strong, the paths shrink.
If your endpoints are clean and monitored, the paths shrink.
If your staff know what a phishing lure looks like, the paths shrink again.

And if you shut down unnecessary network access,
there is no path for automated exfiltration in the first place.

AI allows attackers to run more checks, faster checks, and wider checks.

But it cannot bypass a well secured system.

It cannot push through a patch that is already applied.
It cannot defeat a hardware token.
It cannot log in where no credential exists.

The gameplay is the same.
But the discipline needs to be sharper.

So what should we do about it?

The Playbook

If there is one message from this incident, it is this.
AI speeds up attacks, but it does not invent new ones.
It just runs the same old paths faster.

So the defence still starts with the basics.
But they need to be done properly.
And they need to be checked often.

Let’s dive in.

1. Multi Factor Authentication Everywhere

Use hardware tokens or certificate based authentication.
Avoid SMS.
Keep admin accounts separate.
Rotate them on a fixed schedule.

Check your logs for unusual sign in attempts.
Look for access from strange locations.
Look for repeated failed logins.

A strong identity control blocks most intrusion chains before they begin.

2. Patch the Top Attack Surfaces Fast

Do not wait for quarterly maintenance windows.
Patch the critical surfaces as soon as fixes are released.

Focus on:
Exchange and mail servers.
VPN appliances.
Firewall platforms.
Hypervisors.
Public facing apps.
Open source libraries in your dependency chain.

Keep a monthly patch report.
Track each issue until it is closed.
This one action removes a large slice of real world attack paths.

3. Segment Your Network Properly

Keep critical systems isolated.
Block sideways movement by default.
Follow zero trust principles in practice, not only on paper.

Test this every quarter.
Try to move from a low value system to a high value one.

If you can do it easily, an attacker can too.

4. Lock Down Remote Access

Limit remote tools to a small approved list.
Block everything else at the policy level.

Watch for:
AnyDesk
TeamViewer
Unapproved RDP paths
Unusual remote sessions
Processes spawning remote tools

If you really need external RDP, put it behind a VPN or jump server.

Use hardware based MFA on every privileged account.

5. Run Strong Backup Routines

Follow the three, two, one rule.
Three copies.
Two media types.
One kept offline.

Run a restore test monthly.
Write down the result.

A backup that has never been tested is not a backup.

6. Use EDR and Threat Hunting

Watch for common attack tradecraft:

Unexpected PowerShell activity.
PsExec tasks.
Credential dumping.
Cobalt Strike style patterns.
Large file locks.
Strange data staging.
New scheduled tasks.
Weird WMI activity.

Feed your EDR with updated threat intelligence.
Run weekly hunt reports with indicators from CISA and other trusted sources.

7. Identity and Privilege Control

Keep access tight.
Grant admin rights only for the short time needed.
Review all elevated access at the end of each month.

Disable old accounts.
Rotate service credentials.
Remove default passwords from every device and every app.

This stops attackers from moving freely once they get a foothold.

8. Insider Risk and Behaviour Monitoring

Watch for patterns like:
Sudden privilege jumps.
Unusual login times.
Large data pulls.
Repeated access to sensitive folders.
Admin users acting outside their normal scope.

Generate a monthly behaviour report.
Investigate anything that looks strange.

9. Shut Down Unused Ports and Services

Every open port is a possible path.
Close anything that is not required.

Focus on:
Old SSH ports.
Legacy management ports.
Stale database listeners.
Forgotten web dashboards.
Old test environments.

Scan the network weekly and compare it to last week’s map.

10. Train Staff Against Phishing and Social Engineering

Human error is still the quickest path in.
Teach your staff what phishing looks like.
Run simulated tests.
Give people simple rules to follow.

A trained team stops a large number of attacks long before your tools do.

The Goal

Reduce the number of open paths.
Shrink the attack surface.
Make the system harder to move through.
Make every step slower for an attacker.

If you do that, even an AI driven operation will struggle.

Closing Thoughts

Both incidents point to the same reality.

AI is now part of the attack surface.
Not in theory.
Not in forecasts.
In practice.

The attackers did not use magic.
They used automation.
They used scale.
They used speed.
And they relied on the same weaknesses that teams struggle with every day.

That is the part we cannot ignore.

AI lets a small group move faster.
It lets them run more checks.
It lets them chain tasks together.
But it does not remove the need for an open path.
It does not remove the need for a weak configuration.
It does not remove the need for something to grab onto.

So the path forward is clear.

Tighten the basics.
Reduce the openings.
Monitor behaviour, not just content.
Keep identity controls strong.
Keep patching sharp.
Keep your endpoints clean.
And keep your staff aware.

If you make the attack paths narrow,
even an AI driven operation finds it hard to do real damage.

This report is a warning.
But it is also a reminder.

Good engineering still works.
Good security still works.
And the teams that stay disciplined will stay ahead.

That is it for today’s deep dive.

A quick note. I have added two new newsletter sections to help you catch up on each week’s big news.

This Week in AI.
This Week in Cybersecurity and Compliance.

Tip: If you find this helpful, subscribe to get new episodes automatically.

Subscribe now

Ransomware isn’t a story about lone coders anymore. It’s a business.

Think of it like Ransomware as a Service. You rent the malware. You follow the guide. You split the profit.

In today’s insight, I’m walking through how BlackCat (ALPHV) shaped this whole model, why it still matters even after the takedown, and the steps you can take right now to stop most RaaS attacks before they spread.

From this guided insight, you will:

👉 Understand how RaaS really works
👉 Learn what indicators actually matter
👉 See how to block the tools attackers rely on daily

Know your attackers’ tools, defend with precision.

Subscribe now

The Myth vs The Model

Here’s the truth: ransomware today isn’t driven by genius. It’s driven by structure.

The days of lone hackers are mostly gone. In their place, you’ve got a commercialised underground economy with developers, affiliates and profit splits.

It’s sold as RaaS, Ransomware as a Service. I sometimes call it Rent a Service because that’s basically what it is.

You don’t need to write code anymore. You use what’s already out there. You rent it, repurpose it or tweak existing malware, then run the job and split the profit.

Over time, the market professionalised

A small group of skilled developers started building solid ransomware toolkits with admin panels, payment systems and clear instructions.

They offered these platforms to operators on private channels. Sometimes rented, sometimes sold, copied from leaked code.

Affiliates buy access, pick their targets and run the attacks.

Developers look after the platform, handle payments and take their cut.

That’s how a few coders can fuel hundreds of global breaches. And BlackCat (ALPHV) shows this better than anyone.

What Is BlackCat (ALPHV)?

Why this matters: it’s the playbook for professional ransomware operations. It’s modular, runs on different systems, and feels a lot like commercial software.

BlackCat, also called ALPHV or Noberus, showed up in late 2021.

It’s written in Rust, one of my favourite languages. I’ve got a soft spot for Go and Elixir, too.

Rust is fast, memory safe and tough to reverse engineer, which makes it great for staying hidden.

Unlike older strains, BlackCat runs on Windows, Linux and VMware ESXi. So it hits both cloud and on-premises systems.

The code is clean, the logic is tight, and the whole thing feels like it was built to make money rather than cause random chaos.

How BlackCat Works

Why this matters: Knowing the flow helps defenders break it before anything gets encrypted.

BlackCat runs on the Ransomware as a Service model. Developers keep the platform running, and affiliates carry out the intrusions.

Here’s the attack flow:

Initial Access: through phishing, stolen RDP credentials or exploited weaknesses like ProxyShell, Log4j or ESXi flaws.

Lateral Movement: using tools like Cobalt Strike, AnyDesk or PsExec to move through the network, gain higher access and shut down security controls.

Data Exfiltration: before any encryption starts, sensitive data is taken for double extortion.

Encryption: files are locked with AES 256 and ChaCha20. A random seven-character extension is added, and system files are skipped so the device can still boot.

Ransom Demand: a note drops with a dot onion link for negotiation. Payment is usually Bitcoin or Monero.

Affiliates keep most of the profit. Developers take a smaller platform cut.

Subscribe now

Attack Indicators

Why this matters: Early detection often decides whether an event becomes an incident.

Behavioural Indicators

What to Do About It

Why this matters: precision beats panic. These actions close the paths BlackCat-style operators depend on.

Multi Factor Authentication (Platform / SecOps)
Use hardware tokens or certificate-based MFA. Skip SMS codes.
Verify: check a sample of high-privilege logins each week.

Patch Vulnerabilities (IT Ops)
Focus on Exchange issues like ProxyShell and ProxyLogon, Log4j, VMware ESXi, Fortinet and SonicWall.
Verify: keep monthly reports that track each weakness through to patch.

Network Segmentation (Network / SecOps)
Follow Zero Trust ideas. Keep critical systems isolated and block sideways movement by default.
Verify: run quarterly drills that test sideways movement.

Remote Access Controls (IT Ops)
Allow only approved remote tools. Block everything else through Group Policy.
Verify: review a weekly software inventory diff.

Backups (IT Ops)
Use the three two one rule. Three copies, two types of media, one kept offline.
Verify: run a monthly restore test and write down the result.

EDR and Threat Hunting (SecOps)
Watch for Rust payloads, Cobalt Strike traffic, mass file locks and strange data staging.
Verify: produce weekly hunt reports with IOC checks.

Identity and Privilege Controls (SecOps / HR)
Keep access tight, rotate admin accounts and use Just in Time access.
Verify: review all raised access each month.

Insider Risk Monitoring (SecOps / HR)
Watch for odd admin behaviour, sudden privilege jumps and unusual access patterns.
Verify: send a behavioural report and raise anything that stands out.

Quick Wins (5 Minutes)

Why this matters: small changes stack up fast. These actions close the gaps that attackers use every day.

Most attackers don’t write code on the fly. They use normal admin tools, the same ones your IT team trusts.

Cut off their access to these, and you slow them down fast.

🖥️ RDP
A common path in.
Turn off external RDP.
If you really need it, put it behind a VPN or a jump host.
Use hardware MFA like a YubiKey.
Watch for failed logins and odd locations.

🎯 Cobalt Strike
Common in cracked form.
Pull in CISA IOCs for active command paths.
Use community SSL and TLS intel feeds like abuse.ch SSLBL.
Let your EDR or IDS watch for Beacon patterns because domain blocks alone are never enough.

🧰 AnyDesk and TeamViewer
Easy backdoor tools for intruders.
Keep only the approved ones.
Remove anything unapproved through Group Policy.
Let only admins install remote tools.

🔑 Mimikatz
Used to pull credentials.
Turn on LSASS protection with RunAsPPL.
Make sure WDigest is off. It is off by default on recent Windows builds. If you run older ones, apply KB2871997, then turn it off.
Watch for dumping behaviour in your EDR.
Rotate high-privilege passwords on a regular schedule.

⚡ PowerShell and PsExec
Built-in tools are often used in attacks.
Limit PowerShell to signed or admin-approved scripts through WDAC or AppLocker.
Log Event IDs 4104 and 4688, and watch 5861 for WMI persistence.
Limit PsExec for non-admins and push all logs to your SIEM.

Outcome: you’ve now blocked around ninety percent of real-world ransomware tradecraft, including BlackCat.

Final Thought

BlackCat isn’t just another ransomware strain. It’s a template for how modern cybercrime grows and keeps itself going.

Assume breach. Verify everything. Patch fast. Segment deep. Back up smart.

Know the tools attackers use and defend with precision.

Subscribe now