The GTG-1002 Attack: The First Autonomous Cyberspace Campaign
In November 2025, Anthropic revealed details of an unprecedented cyberespionage campaign, dubbed GTG-1002. This was the first time a case of an artificial intelligence (AI) agent orchestrating real-world intrusions with minimal human intervention was documented.
A Chinese state-sponsored group manipulated an Anthropic Code Assistant to run approximately 80% of a multi-target hacking campaign autonomously. Instead of simply advising cybercriminals, AI took control of key phases of the operation, including:
- Recognition
- Vulnerability discovery
- Exploitation
- Credential theft
- Data exfiltration
This operation was executed at “machine pace,” completing tasks in a fraction of the time a human team would require. The AI identified sensitive databases and wrote exploits in a matter of seconds. At the peak of the attack, the AI made thousands of requests (several per second), an amount of activity impossible for humans to match. This speed and scale of automation allows attackers’ workflows to continually iterate, expanding intrusions faster than cybersecurity experts can traditionally react.
The Asymmetry of Risk in SaaS Security
The implications of AI-automated attacks are especially concerning in the context of SaaS application security. Most organizations rely on SaaS platforms interconnected through OAuth integrations and API keys. These trust tokens grant delegated access to data, but create a fundamental vulnerability.
Static Trust Problem: Trust in OAuth tokens is typically static and human-paced, while AI-augmented attackers operate dynamically and quickly. When a user or administrator approves a third-party app integration, a token with certain permissions (scopes) is created. These decisions are often “set it and forget it” and are rarely reviewed.
Over time, organizations accumulate dozens or hundreds of applications with broad permissions. Employees often grant excessive permissions that exceed the actual needs of the application. These access tokens remain valid indefinitely if not manually revoked.
Vulnerability of Long Duration Tokens: OAuth access tokens and their refresh tokens can persist for months or years without rotation. They are generally not tied to a specific device or network, meaning they can be used from anywhere once they are stolen. This persistent trust allows embedded applications to operate without scrutiny, bypassing traditional login security mechanisms.
This asymmetry means that an attacker who compromises a long-lived token can exploit that static trust much faster than a human computer can notice or respond. When threat actors can move at machine speed and remain under the radar of infrequent manual verifications, the single approval model becomes a serious liability.
From Periodic Reviews to Continuous Verification
To defend SaaS environments from AI threats, security teams must move from regular manual audits to proactive, automated verification of applications and identities. This strategy aligns with the Zero Trust philosophy: never trust, always verify (and re-verify). In practice, this means treating tokens and third-party SaaS integrations with the same rigor as privileged user accounts, applying principles of least privilege and continuous monitoring.
Defense Best Practices:
- Short-lived and frequently rotated tokens: Implement tokens that expire quickly to prevent compromised credentials from persisting.
- Granular Permission Scopes: Require applications to request new permissions if they need them, making any scope change a deliberate event that can be reviewed.
- Dynamic Behavior Monitoring: Use SaaS security solutions that monitor the behavior of connected applications and service accounts. Establish a baseline of normal activity and detect anomalies in real time.
Key Indicators to Monitor in SaaS Environments
Security teams should actively look for the following indicators of potential compromise or abuse in their SaaS environments:
1. Sudden Changes in Scopes or Permits
Pay attention to any third-party applications that request new scopes or expanded permissions, especially outside of the standard change management process. If a read-only integration suddenly requests write or administrator privileges, it should be treated with suspicion.
2. Risky or unreviewed Connected Apps
Identify and scrutinize high-risk applications in your environment. Signs of a risky app include those with very broad permissions, apps from unverified or unknown publishers, or those authorized by few users (especially if one is a privileged account). An app whose purpose does not match the requested permissions (e.g. a calendar app that asks to read all emails) is a major red flag.
3. Abnormal OAuth Usage Patterns
Monitor unusual usage of tokens or app integrations. This includes spikes in data access volume, accesses at odd times or from atypical locations, or an application that suddenly queries data it wouldn’t normally access. A harmless chatbot that performs a bulk export of CRM data at 1am. m. It is an alarm signal.
4. Unusual Data Access or Actions
Keep an eye on what a user or application is doing with their SaaS access. Indicators of compromise include mass downloading of files or records, large-scale deletion or transfer of data, or viewing sensitive data that is outside the normal scope of the account.
Conclusion
The GTG-1002 attack demonstrated that cyberattacks can be deployed on a scale that surpasses traditional defenses. To counter this, it is vital to have a real-time view of what our applications, tokens and identities are doing. SaaS security must evolve from a static model to a dynamic one.
By continually evaluating the behavior of identities—“Is this normal for this application? Is this action safe for this user?"—and arming ourselves with tools that can answer these questions in real time, we can hope to capture a machine-driven attack before it’s too late. It’s time to make verification continuous in our SaaS environments, ensuring that even as attackers accelerate, our defenses remain one step ahead.
References
- GTG-1002 Campaign: Anthropic’s discovery of the use of his assistant Claude in an autonomous cyberattack.
- OAuth: Authorization standard used by applications to gain delegated access to third-party resources.
- Reco: Dynamic SaaS security platform mentioned in the article to monitor the behavior of applications and tokens.