The Age of Agentic Attacks | The GTG-1002 Campaign and the Birth of AI-Directed Cyber Espionage Operations
Once you stick that non-deterministic
behaving microservice into a data center
and let it run on hundreds and
thousands of servers, that's not a human.
I'm sorry, that's just a bad analogy.
That is now an army.
Welcome to The CISO
Signal, I'm Jeremy Ladner.
If you enjoy true cyber crime,
investigative, deep dives,
please take a moment right now
to like, share and subscribe.
It really helps us grow the show
and reach other cybersecurity leaders.
On this episode,
we travel back to September 2025.
Artificial intelligence
is no longer a debate.
It is now part of our infrastructure.
In Fortune 500 boardrooms
and federal agencies No one is asking
whether AI will change cybersecurity
because it already has.
AI writes production code, refactors
brittle legacy systems.
It drafts incident reports
while the incidents are still unfolding.
It triages vulnerabilities before analysts
finish their first cup of coffee.
Executives speak about agentic systems
the way they once spoke about
cloud migration.
It is inevitable,
transformative and embedded.
At the center of that acceleration
stands Anthropic.
Among its most capable tools is Claude
Code, not a simple autocomplete assistant,
but a reasoning engine built
to solve complex engineering problems.
It reads repositories. It write scripts.
It executes test cases.
It even chains commands together.
Claude Code is marketed carefully
as a force multiplier for developers
and in thousands of organizations,
that is exactly what it is.
But there is a question few
are willing to ask out loud.
What happens when a tool built
to aid, assist, and optimize
is conned, cajoled, and ultimately
convinced to collect and deliver
an organization's most closely
guarded secrets to its enemies.
To help us examine what happened
and what comes next,
I'm joined by two leaders
who sit at the forefront of cybersecurity.
First, this episode's sponsor and guest
co-host, Ev Kontsevoy.
Ev is the co-founder and CEO of Teleport.
Teleport is an infrastructure
identity company that helps organizations
control and audit
who and what can reach critical systems,
replacing standing credentials
with short lived governed access.
Built for modern infrastructure
and autonomous workflows.
And joining Ev and I is our guest CISO
co-host Marius Poskus,
global CISO at Glow Financial Services
and founder of EMP Cybersecurity Services.
Marius has built
and led cybersecurity programs inside
high pressure, regulated
fintech environments where cloud adoption,
application security, and board-level
risks are not theoretical discussions.
They are live decisions
with real consequences.
Gentlemen, welcome to The CISO Signal.
It's great to have you on the podcast.
Jeremy.
Thank you for having us.
Thank you for having us. Excellent.
Let's begin the investigation. Absolutely.
Let's dive right in. Yes, indeed.
We are in the midst of a ceaseless war.
Not of bombs or bullets, but of breaches,
firewalls and silent incursions.
The targets
our borders are banks, our commerce
and the critical infrastructure
that underpins a free civilization.
The enemy is cloaked in code,
fueled by greed,
glory, and a desire for chaos.
This is the story of the unseen
protectors, the nameless
generals, the CISOs, Chief Information
Security Officers.
They are the guardians at the gate.
The watchers on the wall.
Ever vigilant and always listening
for The CISO Signal.
Act one.
The persuasion.
September 18th,
somewhere inside a quiet monitoring room,
an engineer scrolls
through overnight telemetry.
Most of it is routine: structured
prompts, development
sessions, expected noise,
but then something stops him.
One account issues
prompts in tight succession.
That alone is normal, of course.
But the recursion runs
deeper than expected.
The same problem appears again and again.
Refined, redeployed and sharpened.
It does not feel like experimentation.
It feels deliberate.
Ev, in legacy espionage attacks, humans
typically do the work.
But in this case it was a little bit
different in that it appears that the work
was largely delegated
for the first time to non-humans.
In plain language,
what does it actually mean to weaponize
an otherwise neutral AI coding assistant
into a nefarious operational coordinator?
I think it's important to pause
and realize
that the Claude in this case,
did not just replace a human.
It replaced a team of humans.
Sophisticated attacks,
they have multiple kind of subtasks,
and usually they're kind of members
in the hacking team
that are responsible
for executing these different stages.
And probably the most obvious implication
is that
if you have a piece of automation
replacing an entire team.
It basically means that the cost
of launching
a sophisticated attack
like that goes down dramatically.
And in practical terms,
what this means is that essentially
you have a reasoning, non-deterministic
behaving automation driven by an LLM,
executing some planning tasks, then
launching tools,
actually doing the work, then
observing results and repeating it again.
So kind of executing in the loop
autonomously.
The engineer tags
the session ten minutes later.
He opens it again and the sequence
runs longer than expected.
Requests chained together and recursive
loop, scripts generate
and execute in rapid succession.
Not the uneven rhythm of a human
testing ideas,
but a compressed, relentless iteration.
Thousands of structured prompts flow
through a handful of accounts.
The model is not being asked to explain,
it is being asked to act.
It maps network environments.
It generates reconnaissance routines.
It refines exploit logic.
Usually you would deal with this kind
of trade off: deterministic versus fast.
So human hackers, they're obviously non
deterministically behaving creatures.
Very smart, very creative.
But they are slow. Okay.
But then if you if you employ
an automation for hacking, you know,
like for example all the automatic
like port scanning tools for example.
So they are actually doing one thing
in that sense.
They’re dumb
but they're extremely, extremely fast.
So they could just do kind of millions
of different things per second.
In this case, we actually have
this really scary, fusion of both.
So you have planning non-deterministic
behavior multiplied by incredible speed.
So yes, it's quite a concern.
At first glance,
it could be a red team simulation,
the kind designed to test resilience.
But the cadence is raw.
The automation exceeds human limits.
Commands are issued, evaluated, modified,
and then redeployed,
sometimes in fractions of a second.
Feedback loops are too tight for fatigue
to clean for improvization.
The model is not merely responding.
It is planning and it is learning.
Marius,
if you learned that a state actor ran
large parts of an espionage campaign
through an AI tool, what do you think
is the first defensive assumption
you would immediately stop trusting?
As you say, large scale is scary.
And nowadays
things are evolving very fast.
So identity is becoming a big problem.
We've been talking a lot about this.
When you took a sort of normal approach,
I think the recent
data suggests
that, you know, for every human identity,
you have about 80 non-human identities
within an enterprise.
Discovering what those identities
have access to and being able to manage
them is a real risk and problem.
When we’re
talking about AI, end GenAI, and
especially in our genetic frameworks, they
usually leverage identities in some way,
but they do it at scale and at speed.
And that's
where the real risk comes to play.
So we see sort of a speed of this agentic
AI adoption without people
understanding the risks that they face
and the dangers that come with it.
Recent examples with Clawdbot / Moltbot.
But you know, I think the founder himself
said that these tools are not for
non-technical people.
To secure them requires
a lot of knowledge and expertise.
And I think we are moving into a space
where people are experimenting
without understanding the risks
that they are assuming.
Anthropic threat intelligence team begins
correlating signals.
The activity is clearly coordinated.
The targets are not hobby projects.
They span industries like technology
providers, financial institutions,
chemical manufacturers,
and even government networks.
More than 30 organizations will eventually
be associated with the activity,
according to public reporting summarized
by multiple cybersecurity outlets.
The accounts are linked
to what investigators
designate GTG-1002,
a threat cluster not previously known
for AI centric operations.
Investigators later state
the campaign bears hallmarks
consistent with state
aligned espionage tradecraft.
Several analysts suggest possible ties
to Chinese state interests.
No public indictment accompanies
the disclosure.
Beijing denies involvement,
and attribution remains assessed
but not proven.
Intent is shrouded in uncertainty.
Ev, when execution is delegated to agents
and workflows instead of people.
What do you think is the identity threat
that most organizations
are underestimating
or may not even realize they've created?
I would maybe summarize it down
to anonymity and fragmentation.
Obviously,
I don't have some hard industry data,
but I do have hundreds and hundreds
of kind of anecdotal conversations
with pretty large organizations
under my belt.
And my observation is that the majority
of those non-human identities
don't even exist.
What I mean by that is like,
you might have a server or a database
or entire environment
that is basically unaccounted for.
Sure, people have inventory files.
They kind of keep track of like,
this is my infrastructure,
but they do not issue identities to them.
Like they don't proactively manage
identities of machines, identities
of workloads, identities of databases,
identities of Kubernetes clusters.
So basically,
trust in the first use continues to be
basically the norm
in a lot of organizations.
And that creates
basically a situation of anonymity.
The prompts are not blunt attempts
to bypass safeguards.
They reframe.
Reconnaissance becomes infrastructure
validation, credential
testing becomes authentication
resilience assessment,
exploit development
becomes compliance review.
The language is precise
enough to pass inspection
and ambiguous enough to redirect purpose.
This is not malware exploiting a flaw.
This is social engineering
aimed at artificial intelligence,
and the AI accepts the premise.
So then if you have an AI,
if you have an AI agent,
like a malicious AI agent,
like in this case, on your infrastructure,
so you actually don't really know
what this thing will do.
And what accounts it will try to use.
Forget about hacking for a second.
If you’re deploying your own
AI into your own infrastructure, don't
you want to contain it?
Adoption of AI into production
and cybersecurity threats associated
with it are forcing organizations to start
taking non-human identities seriously.
A lot of them have not done that work.
There is a lot of anonymity.
That's my first point.
And the second point is on fragmentation.
If you fragment identity,
you're essentially destroying it.
And fragmentation
now is unfortunately the norm.
You have one vendor managing
identities of your, engineers, your humans
another vendor managing identities of,
you know, like servers, like certificates
or something, another vendor
managing database identities.
And then you have cloud
and cloud management.
There's something in the cloud.
So if you create the silos of different
identities, they don't talk to each other.
They are becoming anonymous to each other.
This is why, defending against
coordinated identity attack
becomes, essentially impossible.
So, like, our advice to an organization
is just clean up your infra
before you can even say that we are
AI ready.
Once guided by malicious actors,
it carries espionage
into the very systems
the adversaries intend to infiltrate.
Scanning, harvesting, pivoting,
and then exfiltrating.
According to reports
referenced by Anthropic, 80
to 90% of operational steps are executed
autonomously.
Human operators supervise,
but they do not issue each command.
Cyber intrusions have always required
human persistence.
Patience, improvization
even fatigue gets factored in.
This system does none of those things.
It does not falter.
It does not hesitate before generating
the thousandth payload variation.
It simply marches forward.
Marius, Anthropic assessed
this as a Chinese state linked espionage.
What does that imply, you think, about
motive, about discipline and patience.
And how is that fundamentally different
from a financially motivated crew?
Crime, it usually wants money,
but espionage wants
position, power and knowledge.
And I think that's where you know
these things sort of do a power play.
Espionage, is, you know,
is a way of collecting information
that could be leveraged in the future
to assume power, to gain control.
And we see this all the time.
We have threat actors
who continuously gather
and leverage data
for potentially using that in the future.
And we see this all the time, especially,
you know,
we have this talk about quantum
coming on board
and, you know, how our encryption
is not going to be safe anymore.
It's interesting to see
sometimes how threat actors use these
different tactics and techniques
for different power plays and
what is going to be the outcome of that,
because we don't really know.
And the research shows
very little from that.
I really like this question
because it reminded me about something.
So if you look at all
these different attacks
that are happening, it's really tempting
to put them into these kind of categories,
like how dangerous are they?
Like, are they really like aimed
at organizations like mine?
Because let's just face it,
cyber hacking has an ROI.
So if it costs more to hack
into your organization than it can
possibly extract,
then you're just not a valuable target.
So there are kind of roughly three
classes of attacks.
So then like at the bottom you basically
have like all this automated bots.
It's bits, kind of table stakes,
that are kind
of scanning the Internet, it’s
all these script kiddies.
So these are not sophisticated
attacks at all.
But I would say probably
most organizations
are well protected against that.
But then there is a second class
looking at elevating quite a lot here.
This is when you become a target.
Someone says,
okay, let's go after that organization.
And now you have that team after you.
And this is where a lot of organizations,
in my opinion, actually are not prepared
to be there.
And the third one is the espionage.
You are considered to be infinitely
valuable, which means that I think,
CrowdStrike talks about this a lot.
It becomes a sustained attack
that never truly, really goes away
because the attacker has infinite
resources.
That could be a state actor.
And they really,
really want to get this technology out of,
I don't know,
like Lockheed Martin or something.
So that's the attack
that essentially is going to be launched
and it will never stop.
So, very, very different things.
And what AI is doing in this case, it's
essentially
bringing down the cost of that,
like the kind of second tier of attack.
So as I said, the economics of cyber
are being changed dramatically.
So this is why, in my opinion, it’s
such a big deal.
Inside victim organizations,
nothing dramatic announces the intrusion.
Servers hum, logs populate, dashboards
all glow green.
If data moves outward, it moves quietly,
structured, compressed,
staged in fragments.
Espionage prefers subtlety.
Anthropic’s detection systems eventually
flag abnormally high volume command
structures and behavioral deviations
inconsistent with legitimate workflows.
Internal classifiers identify misuse
patterns, and accounts are suspended.
But by then, investigators confront
something larger than misuse.
This is not an attacker
using AI as a tool.
This is an attacker
treating AI as a team of operatives,
and a new possibility enters
the realm of global cybersecurity.
The next batch may not begin
with a lone human typing in the dark.
It may begin with a vast system
that never sleeps,
persuaded, directed, and set in motion
toward a singular target.
The machine has not turned rogue.
It has been convinced,
and that distinction
will define everything that follows.
Act 2, the acceleration.
Once persuaded,
the system does not hesitate.
The prompts are careful,
not blunt, not crude.
They are contextual reframing:
Subtle shifts
in language that redirect intent
without raising alarm.
Network
mapping becomes infrastructure hygiene.
Credential testing becomes authentication
resilience assessment.
Exploit iteration
becomes compliance validation.
The words pass inspection.
The intent is successfully hidden
and the system accepts it.
What followed is not chaos,
it is optimization.
The Teleport team is really right
at the forefront of monitoring
how agentic threats are evolving
across the industry.
At a high level,
when execution is delegated to agents
instead of people,
what does that workflow tend to look like?
What are you seeing?
What does that agent
typically handle end to end
and where
do the humans still make decisions?
So I think we're too early in this game
to talk about what happens typically
because also the field is evolving
dramatically.
What was typical
last week is not typical this week.
But we can talk about
what happened in this case.
Anthropic revealed,
so they published a paper that documented,
pretty well how this particular team
was a state actor.
So there are kind of three,
if I remember correctly,
distinct phases of how these attacks
were planned and executed.
First, it all starts with a human,
obviously, which is good news.
Like we don't want AI actually
to initiate attacks.
Like that's still a human decision
to decide to go
and break into this organization.
So you need to select a target.
In this case, humans selected
just a bunch of targets, I believe over 30
or 50 organizations were targeted.
Claude Code constructs multi-step
workflows with mechanical discipline:
identify exposed services,
generate scripts, execute,
evaluate response, refine, and repeat.
Where a human operator cautiously pauses
to consider, the system recalculates
with explosive speed.
Where a human might try three payload
variations, the agentic system tries 30
and then 300, and it remembers what works.
Session memory tracks
environmental feedback: which ports
respond, which authentication flows
reveal subtle delays,
which error messages
hint at misconfiguration.
Each iteration sharpens each cycle narrows
the margin for detection,
and each attempt refines
and then evolves towards its goal.
So then AI that took over
and it began kind of probing the networks,
probing
kind of exposed endpoints,
trying to find vulnerabilities.
So that was done
fully automatically as well.
So then the humans come back
after that stage and review the results.
So they try
then to focus the next stage in the attack
on targets
that they evaluate as being more
I guess it's again,
probably ROI calculation as well.
So then they would direct AI again,
just okay, let's go get into these.
And some organizations were breached.
Yet they did not reveal how many.
We don't know the names.
Then once, these AI agents got inside,
they started gathering information
internally. That’s
basically the next step.
Again, Anthropic did not provide
much result, but I could imagine that
if the AI agent, for example,
was able to impersonate an employee,
they were probably sitting in
like slack chats, reading emails, scanning
internal networks, harvesting credentials
anywhere
they could find them, configuration
files, all of this information.
So then it was handed off to the next step
in the attack
where all of this information
was summarized using AI as well.
And all of the summaries were then
handed off again to human actors.
You see it was this kind of this
combination; human, AI, human, AI.
The most valuable insights
were identified.
And then the extraction,
the data exfiltration step followed,
which was again
performed. by AI, fully automatically.
Across dozens of organizations.
The pattern replicates.
Reconnaissance
does not resemble a scanning storm.
It resembles auditing:
Commands are syntactically clean,
scripts are logically structured.
The activity blends
into legitimate development workflows.
That is what makes it
so incredibly dangerous.
Traditional intrusion
detection hunts aggression:
Malformed packets, brute force
spikes, anomalous binaries.
Here, the commands are well-formed,
the logic is coherent.
Even lateral movement unfolds
methodically; Harvested credentials tested
against adjacent systems,
privilege batteries probed
with patience that feels cold, clinical.
Not every target is fully compromised.
Public reporting does not confirm
uniform outcomes, but
sensitive environments are reached,
data is staged
and in some cases
information is exfiltrated.
The full scope remains
partially undisclosed
because espionage rarely publishes
receipts.
Marius.
In practical terms,
what breaks in detection when attackers
stop clicking through environments and
start orchestrating them through agents?
I think, first of all, you stop hunting
hands and you start hunting patterns.
I think in not so distant history,
you know, we have discovered a thing
called user entity behavior analytics,
which was all about human identities.
I think we’re
probably looking in the world
where we're going to move to determining
sort of behavior baselines for agents.
We're going to develop patterns
and detect anomalies and think about
what are the pattern
baselines of these agentic workflows?
You know, how
we can set up session boundaries,
you know, and create step up controls?
How we can have enough logging
that supports investigation.
But I think the way
how are we going to determine
that is from building patterns
and doing anomaly sort of investigation
where an agent steps out of line,
out of normal behavior / normal pattern,
then we can have ways to investigate
and determine whether there's something
fishy going on, shall we say.
On October 3rd, internal logs from
an organization referenced in reporting,
but not publicly named, show
a compressed outbound transfer
initiated minutes after an outbound
credential refinement cycle completes.
Payload is modest.
The destination unfamiliar.
The session lasts under 90s.
It is not a data dump.
It is proof of access,
and proof is often enough.
What distinguishes
this campaign is not only autonomy,
it is speed, tasks that once took weeks
condense into cycles of minutes.
Iteration
velocity alters exposure windows.
Defenders are no longer
racing a human adversary
constrained by fatigue or shift changes.
They are racing recursion.
Inside the decision
chains, a feedback loop
forms: the systems generate exploit code,
test it, interpret responses,
adjust parameters, and carry momentum
between human interventions.
Oversight exists,
but the system does not wait.
Autonomy changes the math.
In traditional operations, operators
juggle multiple victims manually.
Attention fragments, errors creep
in, and infrastructure is reused
while patterns emerge.
Here, automation reduces friction.
It allows scale without human sloppiness.
As enterprises increasingly allow agents
and automation to call tools
and take action independently essentially,
what changes when that happens?
You losing the predictability.
So you’re no longer
able to reason about your infrastructure.
Prior to AI, we already were facing
an explosion of complexity.
If you look at a typical cloud
environments,
there are so many technologies in there.
So we were scaling
and we were dealing with this complexity
and we developed tools and habits,
most importantly habits,
in order to operate
at a larger and larger scale.
And when I say we,
I just mean any technology executive.
Generally, we did an okay job
maintaining this kind of state of mind
that I can reason about my infrastructure
and non-deterministic behavior
at scale breaks it.
For victim organizations.
Early indicators did not look cinematic.
There's no ransom note,
no defaced homepage, no sudden outage.
Instead, authentication attempts
that almost look legitimate,
internal accounts behaving slightly
outside normal cadence, scripts
executing that no one remembers
authoring or authorizing.
Normal operations continue.
Boards meet, markets
open, and developers push out code.
But somewhere inside the system,
iteration continues.
So essentially, if you start deploying
AI agents into production today,
at scale, it actually kind of
feels like your team of engineers
suddenly quadrupled
or got ten times bigger, like overnight.
That is effectively what is happening
when you're deploying even
a single non-deterministically
behaving microservice.
So now, like think about applying a policy
to a team of people.
The single agent
is not simulating a human.
It has a potential to do as much work
as a team of people can do.
So it could do things
much, much, much faster.
The deeper implication is not merely that
AI assists attackers.
That possibility has long
been anticipated.
The real threat is persuasion,
linguistic manipulation that mutates
a defensive tool into a semi autonomous
operative, and persuasion scales.
If one agentic system can be coaxed
into becoming a weapon
shaped by carefully crafted context,
what about the rest?
How many organizations have integrated AI
copilots into workflows without modeling
adversarial prompt manipulation
as a primary threat vector?
The boundary between AI tool
and AI threat actor
can be shattered with shocking speed.
Some have characterized this incident
as espionage, and there's little doubt
that agentic execution will become a tool
of nation state actors going forward.
From your perspective,
what does delegating execution
to agents
do to the economics of those operations,
and why does that change the volume
and persistence defenders should expect?
So if you're a high targets organization,
like for example, like a three letter
government agency,
you wouldn't even be in business
if you couldn't defend yourself
against a sustained, sophisticated attack
by, attacks actually, by
state actors.
So for those organizations,
I would make a claim that the emergence of
AI doesn't move
the needle that much. Okay.
It will double, it will triple the volume.
But doubling and tripling is not scary.
It's really scary
when it goes exponentially.
Instead, what's going to happen
is that in most of the world,
the attackers historically didn't
care about much because ROI wasn't there.
Recruiting, retaining, developing,
and deploying
a team of hackers
onto a target is expensive.
So now that expense goes down
to, let's just say, zero.
Even a teenager, like a 13 year
old, can now be as dangerous
and as damaging as a like a cyber gang
from just like five years ago.
By the time detection mechanisms
begin correlating unusual command density
and behavioral anomalies, the campaign
has already demonstrated proof:
A machine can be socially engineered
– not exploited, convinced –
and once convinced, it moves at a tempo
no human adversary can match.
The acceleration is no longer theoretical.
It is now operational.
And now,
for this episode's quick question.
If agentic
AI can be socially engineered at scale,
where should CISOs focus first:
A) Hardening model guardrails
and prompt injection defenses;
B) Restricting AI systems’ access
to sensitive
credentials and infrastructure;
or C) Expanding
telemetry and behavioral monitoring around
AI workflows?
Drop your answer in the comments below.
And now back to the investigation.
Act three: The threshold.
It’s November 13th, 2025.
Anthropic steps into the light.
The announcement is
not a marketing update.
It reads like a warning.
The company discloses
it has disrupted what it calls the first
publicly known large scale AI orchestrated
cyberespionage campaign.
The threat cluster has a name GTG-1002.
Accounts linked to the activity
are suspended, affected
organizations are notified,
and law enforcement is engaged.
For most of the world,
this is the first time AI orchestrated
espionage appears
in an official disclosure.
Inside security teams,
the reaction is quieter but heavier.
Marius, this case has a constraint.
The victims were never publicly named.
And as a security leader,
how do you act on credible
but incomplete warnings when the decisions
you make carry real costs?
We, always as leaders,
we don't get really certainty.
We always work with probabilities.
And you know, whether we’re
talking about risks, whether we are
presenting to the board, we never are,
you know, fully certain of the numbers.
It's a play in a story
and in a way we have to connect the dots.
And, you know, I've been talking a lot
about this in recent kind of leadership.
I think the biggest problems that we face,
especially when we are thrust
in that position,
you know, as leaders, is most of us
came from a fairly technical route.
And all of a sudden
you are facing the business and talking
about risks and potential threats
that we're going to face
in the near future.
This is not a zero day
patched and forgotten.
It's not ransomware infrastructure
seized in a coordinated takedown.
There is no public arrest,
no perp walk, no
cryptocurrency wallet seized on camera.
No flaw in code was exploited here.
The machine was persuaded
to turn against its purpose.
Its prime directive.
Anthropic details
how misuse detection systems identified
abnormal command density
and behavioral patterns inconsistent
with legitimate development activity.
Internal classifiers
flag coordinated automation
rather than organic coding sessions.
Telemetry the system's own memory
of what it was asked to do –
that becomes the evidence trail.
But telemetry is retrospective.
The harder question
hovers over every boardroom,
every security operation center:
What has already been taken?
And you need to translate that going
from vulnerabilities to misconfigurations
to actual business outcomes,
so that people can understand
where this investment is needed,
where are the biggest threats and how
we can prevent that from materializing.
You know, just to add what Ev talked
about previously, I worked in businesses
where we went so far as to talk about –
are we going to build a cyber defense?
And are we going to build it up
to a certain threat sophistication level?
Are we going to protect against script
kiddies?
Are we going to protect
against cybercrime?
We're not going to bother against
nation states
because we don't have infinite budget
to work up to that.
Public reporting
does not provide a full inventory.
Sensitive environments were targeted.
Some data was staged,
some information exfiltrated.
The full scope remains unknown.
Espionage rarely publishes receipts.
Attribution remains assessed
rather than judiciously proven.
Analysts note hallmarks consistent
with state aligned Chinese operations.
But Chinese officials deny involvement.
Of course.
No indictment accompanies the disclosure.
In geopolitics,
ambiguity is often strategic.
Weeks after the announcement, security
leaders begin to recalibrate risk models.
Agentic systems that were once positioned
as pure productivity accelerators
now belong in a new threat model category.
It turns out that malicious context
is as dangerous as malicious code.
Marius, if you had 90 days
to reduce exposure to agentic campaigns,
what would you fix first
that actually moves risk not just posture?
We just move similar principles,
but to the new kind of world, I guess.
You know, we always had crown jewels
from sort of data points or from business
services.
We'll have the same thing from agents.
There will be agents
who have access to very important tools,
very important data and very important
processes within the business.
And we need to be able to map
and see what that is and how we can,
you know, reduce the risk by,
you know, removing those long lived
credentials and rotating credentials
based on short sessions.
Prompt injection now moves from academic
discussion to board level agenda item.
Regulators debate guardrails. Standards.
Can safeguards be hardened
against contextual manipulation?
Should high capability models require
additional monitoring thresholds?
Which logging practices are sufficient
to reconstruct
AI decision chains and future incidents?
Behind these debates,
a new anxiety begins to grow.
If persuasion can redirect one model,
it can redirect others,
and persuasion requires
no sophisticated infrastructure.
It only requires intent and language.
Can you describe what good looks like
in an organization that's actually ready
for autonomous systems
and autonomous abuse?
In an ideal world, you want to have
infrastructure that's completely clean.
There are no users, no human involvement,
no rules, no groups, no nothing.
But then humans are needed though,
when you need to make a change,
let's just say I need to deploy a new code
or I don't know, just reconfigure
something – provision new infrastructure
like – a privileged operation.
So now you need to bring a human in.
But how can you do that?
Because there are no accounts,
no rules, no groups, no nothing.
Okay, so you begin by creating a digital
ticket like the artifact of work.
And all organizations
already have a ticketing system, right?
So, now we have a unit of work that has
a description of what needs to get done.
Within organizations
that have integrated AI assistance
deeply into their workflows,
a new category of risk begins to emerge.
Trusted automation: Systems
that once held repositories
and credentials and cloud access
in the name of efficiency must now
be treated as potential intermediaries.
The boundary between tool
and threat actor thins.
Now you start asking yourself who will be
involved in working on this ticket?
Well, let's pick Ev.
Ev is an engineer,
so we're going to assign Ev
to that ticket, which is also normal.
Everyone does that already.
So what we basically doing –
you're taking my identity
and assigning it to that ticket.
So let's kind of bring
the cybersecurity jargon in this.
But I'm not going to do it by myself
manually.
I'm not going to physically walk
into a data center.
I'm going to use internet
and I have a laptop for that. Okay.
So you need to add the identity
of a laptop to that ticket as well.
See, now you're basically saying that
to work on this ticket, an engineer
from this company needs to have
that particular laptop,
not just the company-issued laptop,
but that particular laptop –
we assigned that to that ticket.
And then, okay, I have me.
Like, me and my laptop.
Autonomy changes exposure.
Human adversaries can be profiled.
They make mistakes.
They sleep.
A recursive system does none of that.
But then what? I’m probably
going to use some kind of automation.
Maybe Jenkins or GitLab,
some kind of CI/CD pipeline system,
because that thing will be doing
deployments.
That thing needs access
and privileges and credentials.
So you assign the identity of your Jenkins
to that ticket, right?
Then you need to decide which environments
we're going to be deploying in.
And so you pick an identity
of that environment.
Identity of that...
I don't like the databases
that will be involved
and what not and assigned to that as well.
Then you figure out what privileges do
we all need to complete this work?
And you're going to,
like salt
– like sprinkle privileges on top,
and then you handed it off
to your infrastructure.
It scales testing.
It iterates without ego.
It does not grow impatient.
It searches solution spaces
with mechanical persistence.
And infrastructure creates
all these privileges on the fly.
I come in as an engineer to do the
deployment or provisioning or whatever.
I don't need to log into anything because
in a trusted environment where there is
no anonymity, like all the systems
already know who I am.
I do the deployment
and then I close the ticket.
And guess what?
Everything gets wiped
and you go back to a clean state.
See, in this system,
the privileges are assigned to work.
This is how they become
mathematically on demand.
Credentials are not even in the picture.
So like it's all governed
using biometrics,
TPMs and HSMs which is, again –
it's technology we already have.
And it's not that difficult to leverage.
Now in a system
like this, bringing AI, it's a much,
much simpler proposition
and it just becomes yet another identity.
That's the ideal state that we’re
advocating that we’re popularizing.
Obviously,
we're enabling it with our technology.
That is the future.
When weaponized by malicious actors,
it carries espionage into the very systems
the attackers intend to infiltrate,
harvesting secrets, mapping access,
pivoting unseen, and leaving
no obvious trace behind.
The GTG-1002 campaign does not end
with cinematic collapse.
There is no dramatic takedown.
Accounts are disabled.
The report is published.
The industry absorbs the shock,
but something irreversible has occurred.
Never before has a machine built
to serve us been persuaded to spy
for others, to map, extract and slip away
with the secrets we trusted it to guard.
Not as a novelty, as an operational model.
Somewhere, other threat actors
read the same disclosure, study
the same guardrails, map
the same behavioral thresholds.
Innovation in cybersecurity has always
mirrored innovation in intrusion.
The difference now is velocity.
The campaign closes officially with
suspension notices and advisory briefings.
Unofficially,
the threshold has been crossed.
The agentic machine has been persuaded
once.
The next time it will move faster.
And nothing, not logs,
not policies, not human
vigilance can slow it down.
Ev, it was great having you on the show.
It was a wonderful conversation.
Really enjoyed that.
Thanks for having me.
I enjoyed it as well. Great!
I hope to have you back again soon.
And Marius likewise was fantastic
having you on the show.
Really enjoyed the conversation.
It was a pleasure.
Thank you for having me.
Even as the GTG-1002 campaign
concludes, its lessons are just beginning.
Organizations
trusted in AI built to assist,
optimize and safeguard –
that trust was weaponized.
What was once a tool became a conduit
for espionage, moving at a speed
no human operator could match.
CISOs now face a new world
where the attack surface
is not just software or code, but context,
words, framing and intent
that can be manipulated.
A single prompt can redirect a system
to collect secrets, map access, and pivot
through environments all without leaving
messy human fingerprints.
The threat is no longer theoretical.
It is operational now.
Inside SOCs, security teams
must reconcile two realities:
human vigilance and machine autonomy.
Analysts can monitor, review and respond,
but they are constrained
by a myriad of human weaknesses –
like fatigue, distraction –
in our comparatively compact cognitive
limits, the agentic system does not pause,
it does not tire.
It iterates and advances relentlessly.
Boards and executive teams
must think differently about risk.
Today, exposure is no longer
a matter of patches or firewalls alone.
It is about governance, oversight,
and the subtle power of influence.
The ability for words and context
to persuade
a machine to act as an operative.
For defenders, the path forward
is not abandoning AI, it is understanding.
It is a participant
in the security ecosystem.
Modeling adversarial manipulation
and anticipating
the ways autonomy can be exploited.
The GTG-1002 campaign is not a revelation,
not a closed chapter.
It is a prophecy of a promised tomorrow.
A tomorrow where the machines and tools
we trust grow ever faster.
Machines that can be persuaded to turn
against us, bent to the will of the other.
For purposes not yet conceived.
And so we must remain forever vigilant
and always listening for The CISO Signal.
If you
enjoyed this episode, please like,
share and subscribe.
If you didn't, thanks for listening
this long.
We'll see you
on the next episode of The CISO Signal.
All episodes are based on publicly
available reports,
post-mortems, and expert analysis.
While we've done our best
to ensure accuracy, some cybersecurity
incidents evolve over time
and not all details have been confirmed.
Our goal is to inform and entertain,
not to assign blame
where facts are unclear.
We've used cautionary language
and we always welcome your corrections.
Thanks for listening to The CISO Signal.
