DATE
November 14, 2025
Introduction
Anthropic’s recent disclosure about an AI-orchestrated cyber-espionage campaign has triggered an important moment for the industry. Their work is rigorous and transparent, and it provides one of the clearest public demonstrations of agentic AI being used in offensive operations.
This blog was written in response to the growing discussions surrounding Anthropic’s findings. While their research highlights a new threshold in AI-enabled cyberattacks, it is not the first sign that this shift was underway. Earlier in 2025, events surrounding the Harbin Asian Winter Games in China offered a different perspective on how artificial intelligence is beginning to shape offensive cyber operations around the world.
The goal of this analysis is not to downplay Anthropic’s contribution. Instead, it is to contextualize it. The evidence emerging from China and other regions illustrates a broader pattern. Agentic AI is no longer a theoretical component of cyber operations. It is becoming operational, global, and more autonomous with each iteration.
Agentic AI refers to systems capable of perceiving an environment, reasoning about objectives, planning intermediate steps, and carrying out actions with limited human oversight. These systems do not simply generate code or recommend commands. They make choices about what to do next, adapt to new conditions, and pursue goals with a degree of independence that departs from traditional automation.
When these agents begin to make intrusion decisions, generate attack tools dynamically, adjust strategies based on feedback, and execute operations in sequence, the boundary between agentic and autonomous behavior begins to blur. Cyberattacks that previously required coordinated human teams can now be delegated to systems that operate at machine speed and do not tire, pause, or hesitate.
Anthropic’s analysis demonstrates this clearly. Their reporting shows AI performing most of the operational sequence with minimal human intervention. This is a significant moment for the industry, and it should be treated as such.
In early 2025, Chinese authorities reported a large-scale cyber campaign targeting the Asian Winter Games in Harbin and critical infrastructure in Heilongjiang. Chinese cybersecurity teams described the attack using terminology that is rarely seen in earlier public reporting.
Local investigators stated that the attackers used AI intelligent agents to plan the offensive workflow, discover vulnerabilities, generate exploit code, and automatically adjust traffic patterns during the attack. According to Chinese sources, parts of the codebase displayed characteristics associated with AI-generated logic, including dynamic code generation during execution and strategy switching based on real-time conditions.
Some Chinese experts characterized the incident as the first use of AI intelligent agents in an operational cyberattack. The claim is politically sensitive, and the technical details released publicly are limited. It is important to note that these claims come from the viewpoint of the reporting authorities and have not been independently verified.
However, whether or not every detail is accurate, the language and framing matter. It indicates that major cybersecurity ecosystems outside the United States are already attributing cyber operations to agentic AI, and that they are starting to treat these systems as active components of modern offensive campaigns.
The Harbin reporting and the Anthropic disclosure represent two different kinds of evidence. Harbin is framed through forensic summaries and geopolitical attribution. Anthropic provides detailed telemetry, logs, and step-by-step demonstrations of AI handling reconnaissance, vulnerability analysis, tooling, and lateral movement.
Despite their differences, both cases point to the same trend. The operational role of AI is expanding from support to decision-making and execution. In both examples, AI systems demonstrate the ability to move beyond passively generating content and into actively running parts of the intrusion lifecycle.
Taken together, these events show that AI-driven offensive operations are not isolated to any single region or political actor. The shift is global, and the technical capability is no longer limited to high-end state actors.
AI-driven attack operations introduce three serious implications for defenders.
First, speed. These systems operate faster than human analysts can respond. They can scan, pivot, generate tools, and escalate privileges in seconds.
Second, scale. Agentic and autonomous behavior allows a single adversary to operate hundreds of parallel intrusion paths across dozens of targets without increasing human workload.
Third, unpredictability. AI agents do not always produce consistent behavior. They can chain unusual commands, test combinations that human operators would not attempt, and create signatures that evade traditional detection.
Traditional cyber defense models were not built for these dynamics. Detection, logging, and incident response must evolve to treat machine-speed, machine-generated activity as the new baseline.
ikPin’s research and service model is built around preparing clients for this shift. Organizations cannot rely on legacy assumptions about what attackers are capable of. When AI begins making decisions, generating tooling, and carrying out attacks with limited human involvement, the defensive posture must change.
It requires enhanced telemetry, better behavioral analytics, stronger identity controls, and security operations that can recognize and respond to the patterns of autonomous and semi-autonomous systems.
This moment is not defined by which case counts as the first. It is defined by the fact that the transition is already underway. The global threat landscape is moving toward agentic and autonomous AI-driven operations, and the organizations that prepare now will be the ones that navigate this shift effectively.
