The Use of AI in a Cyberattack: How NDR Detects Cyber Espionage GTG-1002

In the traditional model of cyber attacks, AI played a supportive role: it generated suggestions, accelerated analysis, or automated repetitive tasks. In GTG-1002, we encounter a different operational logic.

According to Anthropic’s description, attackers utilized the Claude Code toolchain and the open standard Model Context Protocol (MCP). Thanks to MCP, the AI model can:

• connect directly to tools and data sources,
• perform tasks on files, databases, and terminals,
• make decisions based on context maintained through multiple sessions.

It is MCP that turns a chatbot into an agent – a system that not only suggests actions but carries them out autonomously. The operational effect is enormous: AI was to perform 80–90% of the tactical work, with humans playing a strategic oversight role, approving transitions between attack stages. This allowed the campaign to achieve a scale typical of state-level operations with only 10–20% of the effort that would normally be required.

Anthropic presents the GTG-1002 campaign as a six-stage operation where the scope of autonomy of the AI agent systematically increased, while the human role was mainly limited to strategic decision points (so-called decision gates). The individual phases were as follows:

1. Campaign initialization and target selection – operators indicated targets and, using social engineering, led the AI agent to recognize the actions as authorized defensive tests. The AI maintained a consistent operational context over several days, enabling continuity of actions between sessions.
2. Infrastructure reconnaissance and mapping – the agent conducted automated reconnaissance, including browser automation, to quickly identify services, resources, and network topology across multiple organizations simultaneously.
3. Vulnerability identification and validation – AI independently generated tailored payloads and conducted tests confirming the possibility of exploiting detected vulnerabilities in the target environment.
4. Credential harvesting and lateral movement – the agent systematically captured credentials, analyzed permission levels, and used them to move deeper into the network, including accessing internal APIs and databases.
5. Data collection and intelligence analysis – AI aggregated large volumes of data, identified sensitive information, and organized it according to operational/intelligence value, operating without detailed human guidance.
6. Automatic documentation and operation handoff – the framework generated detailed real-time campaign documentation, facilitating progress control, operation handoff, and strategic decision-making.

It is important to note that this was not a single incident but a multi-stage, consistently conducted campaign, carried out with great speed and simultaneously against many targets.

AI-based agency campaigns such as GTG-1002 are multi-phase operations conducted at incredible speed, often without using custom malware but leveraging legitimate tools and protocols. In this model, defense based on observing network behavior, rather than just signatures, becomes key. ExtraHop addresses this problem comprehensively:

1️⃣ Holistic network visibility and elimination of blind spots
The foundation for effective defense against autonomous agents is complete, consistent telemetry from the network. ExtraHop provides end-to-end visibility through line-rate traffic analysis, decryption, and deep protocol decoding. This includes both standard communication layers and business applications and APIs that AI agents exploit for reconnaissance, access escalation, and data theft. As a result, ExtraHop reveals activities that would otherwise remain hidden in encrypted traffic or in the “gray zone” of legitimate protocols.

2️⃣ Detection of characteristic “orchestration traffic” to LLM/MCP services
A new feature of agency campaigns is continuous communication between the internal agent and external orchestration infrastructure – e.g., MCP servers and Large Language Model services. ExtraHop can identify this type of traffic as a separate, highly diagnostic threat signal. In practice, it is often easier to notice because it creates long-lasting, repetitive connections with unusual characteristics. Detecting this pattern enables security teams to quickly disrupt the attack chain by severing the AI agent from its “control system.”

3️⃣ Real-time detection of behavioral anomalies
ExtraHop uses advanced machine learning models to detect behavioral anomalies in real-time. In the initial phases, this includes high-volume scans, unusual service enumerations, and systematic vulnerability validation. In later stages, the platform detects automated lateral movement, unusual use of privileged accounts, and other patterns indicative of “agent” activity.

4️⃣ Forensic analysis
After detecting an incident, it is equally important to precisely understand its course. ExtraHop retains high-quality packet data and network metadata, enabling the reconstruction of the full attack path: which services the AI agent enumerated, which resources it accessed, what data it processed, and how it attempted to exfiltrate it. Packet records allow the reconstruction of complex action chains and automated decisions made by AI frameworks, which is crucial for strengthening security for the future.

5️⃣ Integration with threat intelligence and IOC/TTP correlation

Agent campaigns, despite a high degree of autonomy, still rely on components of external infrastructure – such as callback servers, C2 addresses, or tool repositories. ExtraHop integrates with reliable sources of Threat Intelligence, enriching detections with known indicators of compromise (IOC) and assigning observed actions to MITRE ATT&CK techniques.

6️⃣ Accelerated incident response and precise remediation
ExtraHop generates high-confidence alerts and visualizes the attack path, indicating compromised hosts, their relationships, and vulnerable resources threatened by lateral movement. This level of detail allows SOC teams to make accurate decisions quickly: isolate specific systems, block lateral movement vectors and – crucial in agent campaigns – immediately sever connections between the internal AI agent and its external orchestration servers.

NDR class solutions from ExtraHop provide a combination of full visibility, behavioral detection, identification of AI agent-specific signals, and deep forensic analysis. This set of functions is essential for effectively detecting and disrupting the new generation of espionage campaigns where artificial intelligence acts as an autonomous attack operator.

The GTG-1002 campaign proves that autonomous AI-driven attacks are a real threat, which will grow with the scale and speed of cybercriminal activities. Therefore, organizations need solutions that:

• provide holistic network visibility without blind spots,
• detect behavioral anomalies rather than just known signatures,
• operate in real-time, keeping up with the pace of the attack,
• can recognize characteristic traces of AI agent activity.

As a distributor of ExtraHop solutions, we help organizations implement the platform and leverage its full potential in practice. If you want to discuss how to prepare your network for the era of AI agent attacks – we invite you to contact us. We are happy to show you how ExtraHop can enhance your organization’s security!