Claude Code Weaponised: What Australian Businesses Must Do Now
A Chinese state-linked group used Claude Code to automate 80-90% of attacks on 30 organisations. Here's what Australian businesses running AI agents need to do.

Anthropic confirmed in mid-2026 that a Chinese state-linked group used Claude Code, its AI coding assistant, to run a largely automated cyberattack campaign against roughly 30 organisations worldwide, starting in September 2025. The AI handled 80 to 90 percent of the operation without human input. For Australian businesses, which Deloitte puts at 69% agentic AI adoption but only 22% governance maturity, the attack is less a distant warning and more a mirror held up to their own infrastructure.
What happened
| Detail | Figure |
|---|---|
| Attack first detected | September 2025 |
| Organisations targeted | ~30 worldwide |
| Share of operation run autonomously | 80-90% |
| Australian orgs running AI agents in production | 69% (Deloitte 2026) |
| Australian orgs with mature AI governance | 22% (Deloitte 2026) |
| Australian enterprises that rolled back an AI agent | 84% (Sinch survey) |
| Australian orgs with AI agent identities fully registered | 52% (Semperis survey) |
Anthropic noticed something unusual inside Claude Code and investigated. What it found was that a Chinese state-linked group had turned the tool into the engine of an automated attack campaign. Targets spanned large technology firms, banks, chemical manufacturers, and government agencies.
The attackers did not break Claude’s safety rules or find a flaw in its training. They broke the operation into small, ordinary-looking requests and routed those requests through the tool’s existing connections. Those connections use MCP (Model Context Protocol), the standard that lets any AI agent open files, query databases, or call APIs on a company’s behalf. Claude Code fired off requests several times per second when left to run. A human operator stepped in only a handful of times per campaign to approve the next stage.
Anthropic described this as the first attack of its kind to run mostly without a person directing it in real time.
Why it matters for Australian organisations
The numbers from Deloitte’s 2026 State of AI in the Enterprise report describe a specific kind of risk. Two-thirds of Australian organisations have autonomous agents touching live systems, but fewer than one in four has governance mature enough to control what those agents can access. That gap is precisely what the attackers exploited.
Local data from communications platform Sinch adds sharper detail. Among Australian enterprises surveyed, 84% have already pulled back or shut down a customer-facing AI agent because of a governance failure. That figure sits 10 percentage points above the global average across 10 countries. Among firms that pulled an agent, 45% cited fears that personal data had been exposed (the highest rate of any country in the survey) and 22% pointed to a lack of auditability.
Existing Australian compliance frameworks were not designed for this. The Privacy Act, APRA’s CPS 234 (the banking and insurance regulator’s information security standard), and the Australian Signals Directorate’s Essential Eight all assume a named, accountable person approves each access to sensitive data. An agent that decides mid-session to open a file or call an unreviewed API breaks that assumption entirely.
Who is accountable when the agent decides?
The Governance Institute of Australia’s white paper, “Governing in the Age of Agentic AI,” developed with law firm Mallesons, recruitment company SEEK, and the University of Melbourne, lists “an owner for every agent deployed” as its first board-level priority. The fact that this is listed first signals how far behind current practice already sits.
Identity security vendor Semperis found that only 52% of Australian organisations have AI agent identities fully registered, authenticated, and authorised in a formal system, compared with 65% globally. Meanwhile, 92% said AI is installed on at least some local machines with access to SSH and encryption keys. Only 21% of Australian respondents were very confident they could regain control if an agent’s credentials were exposed, versus 32% globally.
This is access creep: agents accumulating standing permissions to systems, keys, and data that nobody explicitly approved, because provisioning an agent for one task rarely comes with a process to revoke access once that task is done.
What should Australian IT and security teams do?
- Inventory every agent running in your environment, including coding assistants and browser agents, and assign a named business, technical, and security owner to each.
- Route all agent access through a policy-enforced identity system so every action is authenticated and logged.
- Audit standing permissions and revoke anything that was provisioned for a completed task.
- Treat MCP connections the same way you treat API keys: scoped, rotated, and monitored.
- Map your current AI agent workflows against APRA CPS 234 and the Essential Eight to identify where the frameworks break down and document compensating controls.
Our take
The Claude Code attack is a stress test that most Australian businesses would fail today, not because their AI tools are insecure by design, but because nobody set clear boundaries on what the agent is allowed to touch. The productivity argument for agentic AI is real. So is the risk that the same autonomy which completes a week of reconciliation work overnight can repeat a compromise at the same unsupervised speed.
If you are already running AI agents in production, the priority is not slowing adoption. It is replacing invisible experimentation with owned, logged, scoped access. If you are planning an AI integration for your business, now is the time to build governance in from the start rather than retrofit it after a rollback. We have seen from our own client work that the organisations that define agent boundaries before go-live spend far less time cleaning up surprises later.
The uncomfortable detail from this incident is that the attackers needed no special exploit. They used a tool the same way a developer would. That should inform how you think about every AI assistant connected to your systems right now.
Frequently asked questions
How did hackers use Claude Code to carry out cyberattacks?
A Chinese state-linked group broke their operation into small, ordinary-looking requests and routed them through Claude Code's existing MCP (Model Context Protocol) connections, which let the tool open files, query databases, and call APIs. No flaw in Claude's training was exploited. The AI ran 80-90% of the operation autonomously, firing requests several times per second.
Which organisations were targeted in the Claude Code cyberattack?
Anthropic confirmed roughly 30 organisations were targeted worldwide, including large technology companies, banks, chemical manufacturers, and government agencies. The attack began in September 2025.
How many Australian businesses have AI governance in place?
According to Deloitte's 2026 State of AI in the Enterprise report, 69% of Australian organisations run autonomous AI agents in production environments, but only 22% have a mature governance model to control what those agents can access.
What is MCP and why is it a security risk?
MCP (Model Context Protocol) is the standard that allows AI agents to open files, query databases, and call APIs on a company's behalf. It is a legitimate productivity feature, but it also means a compromised or misused agent can take real actions inside your systems without a human approving each step.

