- Espionage isn’t one-size-fits-all. There are five (5) types, but don’t be surprised if you hear most people confuse corporate & industrial espionage.
- The key to uncovering cyber espionage isn’t alerts but visibility.
- Force insider spies out of the shadows: LastPass SaaS Monitoring + SaaS Protect lets you spot unauthorized logins & access.
- Get even more visibility with: (1) AI-powered UEBA analytics (2) AI-powered threat hunting (3) whole-person risk management (4) integration of UEBA, endpoint, & identity telemetry into your SIEM.
- Seven (7) powerful defenses can stop espionage cold. But ignore defense #7 and your business may not survive.
Whether you’re managing a household or running a business, have you ever wondered how closely guarded secrets often end up in the wrong hands?
Despite the firewalls, antivirus software, and maybe even a VPN?
The answer, it turns out, is far more alarming than most people realize.
The first AI-orchestrated cyber espionage campaign in the world happened in September 2025, when attackers used Claude Code to attack 30 organizations across the world, changing cyber defense forever.
What you’re about to discover isn’t a fleeting threat that’ll vanish with the next news cycle. Anthropic, the AI startup that created Claude, is already calling this attack an “inflection point in cybersecurity.”
With AI-driven threats moving at machine speed and scale, traditional signature-based detection is officially obsolete.
Cyber defense is now about AI versus AI. At the ISC2 Security Congress I attended in October, the verdict was clear: If attackers use AI, so must defenders.
But, first, let’s start with the basics.
What is cyber espionage and what are the types of cyber espionage?
Cyber espionage is the malicious theft of data or intellectual property that offers strategic economic, political, or military advantages.
But here’s what they don’t tell you in boardroom meetings.
Unlike cybercrime, which focuses on financial gains, cyber espionage isn’t about immediate disruption. It’s about covert theft of your intellectual property; it happens in the shadows and can last for years.
The attackers aren’t just interested in client lists.
They’re also after R&D roadmaps, intellectual property that represents years (or even decades) of investment, proprietary formulas, weapons defense systems, and secret projects.
Now, let’s talk about the five types of cyber espionage.
#1 State sponsored cyber espionage
The Big Four nations are the most prominent actors behind state-sponsored cyber espionage and they have several things in common:
- Attacks often involve close collaboration between military actors and private sector organizations.
- The target is critical infrastructure of the U.S. and its allies.
- Sabotage and disruption are key goals.
- Asymmetric warfare is a favored tactic.
But what is asymmetric warfare?
Put simply, it’s conflict that extends beyond the battlefield with tactics that can neither be anticipated nor easily countered. They include:
- Spreading disinformation to intensify polarization and weaken morale
- Deploying psychological operations (psyops) to portray the weaker side as morally justified and therefore, more legitimate
- Working to promote human assets that can be blackmailed or manipulated into roles with more access and autonomy at target organizations
- Recruiting saboteurs with no formal training, like students or young hackers, to complicate attribution or hide evidence trails
- Hacking into election infrastructure and amplifying controversies to sow chaos
- Executing living off the land (LOL) attacks that don’t trigger security sensors
- Using social engineering to install malware in target enterprise systems
- Conducting large-scale ransomware attacks to maximize social disruption
- Disrupting critical services to undermine trust in public institutions
In asymmetric warfare, one side has far less military power and resources.
Instead of open combat - which they would lose - they opt for indirect attacks that create instability and erode the opponent’s advantage.
#2 Industrial cyber espionage
What if one of the most powerful tools for gaining an edge wasn’t innovation but theft?
That’s what two researchers discovered after comparing 189,725 Stasi informant reports with industrial economic data for East and West Germany (for the years 1969 to 1989).
East Germany’s spying activity was so effective it was able to reduce its total factor productivity (business efficiency) gap by 8.5 percentage points.
But industrial espionage is a double-edged sword.
While it drives short-term gains, it can’t replace the creative, original R&D that sustains long-term growth.
East Germany found that out the hard way. After the Cold War, its own R&D sector collapsed when grassroots action led to the dissolution of the Stasi in 1990.
With the fall of the Stasi, its espionage networks ceased to exist, and East German industries lost access to a steady stream of technology transfers.
Despite the risks, nation states are doubling down today - with a twist. They’re recruiting insiders to harvest secrets: Up to 85% of industrial espionage cases now involve an insider.
MISSION2025 – linked to nation-state group APT41 – has targeted more than 40 industries worldwide, including manufacturing and telecom.
Its methods include:
- Sending spear phishing emails with malicious ZIP attachments containing LNK files that launch malware
- Exploiting SQL injection flaws in web applications
- Using DLL sideloading - a living-off-the-land (LOL) technique - to maintain persistence. Because the malicious DLL inherits the legitimacy of a host process, detection is harder.
These nation-state groups are embedding operatives with pristine LinkedIn profiles and flawless GitHub portfolios in target institutions.
Since 2020, nation state actors like APT38 have funneled I.T salaries of more than $1 billion to despotic regimes. The goal? To fund rogue nuclear and ballistic missile programs.
These operatives use synthetic identities, face swapping & voice cloning tech, and laptop farms to mask their true nationalities and locations.
What they’re doing is exploiting your “good faith” hiring decisions to exfiltrate engineering schematics and product blueprints. And the scary part? Hundreds of Fortune 500 firms and aerospace manufacturers have already onboarded at least one or more as remote talent.
But that’s only one front in a much larger war. Before we get into how AI is supercharging cyber defense, let’s talk about corporate espionage.
#3 Corporate cyber espionage
Wait: Isn’t industrial espionage the same as corporate espionage?
While the two terms are used interchangeably, the difference lies in intent and emphasis.
- Industrial espionage: The focus is stealing proprietary information to gain an economic advantage. It’s mainly perpetrated by state-backed actors targeting specific sectors - like biotech, aerospace, and semiconductors - to drive economic competitiveness and military dominance.
Industrial espionage example: In October 2025, APT group Lazarus targeted the EU’s defense sector. They deployed “Operation DreamJob” to send fake job offers to aerospace employees and trick them into opening a malicious file.
When the file was opened, a RAT (remote access trojan) called ScoringMathTea was installed. This RAT gave Lazarus full control over target devices, allowing them to exfiltrate information on Western-made UAV/drone systems currently used in the Russia-Ukraine war.
- Corporate espionage: The focus here isn’t just “industrial know-how," but also merger & acquisition, marketing, pricing, and customer intel. The typical actors are rival corporations or insiders working on their behalf.
Corporate espionage example: In early 2025, Rippling and Deel (two competing HR tech firms) filed lawsuits accusing each other of corporate espionage. Rippling alleges that Deel cultivated an insider to funnel confidential business intelligence back to Deel. Meanwhile, Deel says a Rippling employee impersonated a Deel customer to access some of Deel's systems. As of this writing, the legal battle continues.
#4 Economic cyber espionage
Primarily, economic cyber espionage is aimed at weakening U.S. economic leadership.
A major focus is on acquiring proprietary tech – in generative AI, pharmaceutical & medical equipment manufacturing, mining, computer processing, satellite, and aviation systems.
This allows rogue nations to bypass expensive R&D investments and undercut American firms.
The Thousand Talents program, for instance, have turned engineers, scientists, and researchers inside U.S. firms into economic espionage recruits.
In 2019, the New York Times reported that 600 Thousand Talents operatives worked for U.S. firms.
And how aggressive have they been? In 2025, economic espionage campaigns have surged by 150%, with a 300% increase in attacks against the manufacturing and industrial sectors.
#5 Military cyber espionage
The next war may not start with missiles.
In 2025 and beyond, Big Four operatives are training their sights on classified defense tech, troop movements, and weapons systems, information that can shift the balance of power between nations.
There's a particular focus on military personnel and defense contractors – the engines driving American defense R&D – seeking both the tech itself and insights into U.S. military posture.
In November 2025, the U.K. Ministry of Defense warned that 80% of its “White Fleet” hybrid and electric cars – used for transporting troops, equipment, and supplies to war zones and military bases – have likely been compromised with surveillance devices.
As part of the security response, the MoD has urged all military personnel to refrain from connecting smartphones to “White Fleet” infotainment systems.
As seen above, cyber espionage is alive and well.
And yet, board directors often avoid the difficult conversations surrounding it. Why?
Because the truth is uncomfortable.
Disclosing the depth of the cyber espionage threat means admitting a business may be vulnerable to shadowy enemies with vast resources.
This could trigger legal and reputational landmines that destroy investor confidence.
The result? A dangerous silence that emboldens your adversaries and leaves your company exposed.
To protect your company, you need visibility.
How can cyber espionage be prevented?
Strong visibility can help your business spot and stop cyber espionage before damage occurs.
Here’s why visibility is critical: September 2025 changed everything.
That’s when state-sponsored hackers used AI not as an advisor, but as the weapon itself. According to Anthropic, the perpetrators GTG-1002 used Claude’s agentic features (which allows it to act on your behalf) to execute the attacks:
- GTG-1002 targeted 30 organizations in tech, chemical manufacturing, financial services, and government.
- Phase 1 campaign initialization: GTG-1002 operatives convinced Claude they were employees of cybersecurity firms interested in defensive testing. Phase 1 focused on social engineering of the AI.
- Phase 2 reconnaissance: The attackers used Claude to map attack surfaces, discover access controls, and identify vulnerabilities.
- Phase 3 exploitation: The attackers directed Claude to generate attack payloads based on discovered vulnerabilities.
- Phase 4 credential harvesting and lateral movement: Claude independently verified and harvested credentials linked to sensitive systems. Lateral movement followed via stolen credentials.
- Phase 5 data collection & extraction: Claude autonomously queried databases, extracted data, parsed results to identify proprietary data, and categorized findings by intelligence value.
- Phase 6 documentation & handoff: Claude automatically generated comprehensive attack documentation throughout. This facilitated seamless handoff between operators to resume persistent access.
Upon discovery of the attack, Anthropic banned all GTG-1002 associated accounts, notified all affected entities, and coordinated with law enforcement to gather actionable intelligence.
In all, Claude did 80-90% of the work for GTG-1002. It was able to make “thousands of requests per second,” a rate that’s simply impossible for humans to match.
That said, Claude wasn’t perfect: It did hallucinate info, but its eventual success raises a question, according to the New York Times: What happens when attackers successfully use open-source AI models that aren’t as closely monitored as Claude is?
Visibility – the ability to detect what’s happening in your environment in real-time – is your first, last, and most critical defense.
Here are seven ways that give you the visibility to survive.
Defense #1 Know what you’re protecting (because your attackers already do)
You can’t defend what you can’t see.
Before you go any further, ask yourself:
Where does your intellectual property live?
These are assets that offer strategic value, such as:
- Patents
- Pending patent applications
- R&D projects
- Source code
- Proprietary tech
- Manufacturing processes
Visibility starts with knowing what you’re looking at:
- First, identify your most critical intellectual property.
- Map where it lives on your network.
- Document who can access it.
Next, implement the means to get visibility:
- Uncover how access to IP (intellectual property) repositories happens - who’s accessing it, when they’re signing in, and how they’re signing in - with LastPass SaaS Monitoring + SaaS Protect. Try it free with a Business Max trial (no credit card required)
- Implement least privilege access with phishing resistant FIDO2 MFA such as hardware security keys or passkeys*
*CISA has warned that Salt Typhoon infiltrated eight (8) U.S. telecoms from 2022 to 2024. Nation-state actors thrive on credential theft. Instead of relying on SMS-based MFA, get LastPass Business Max to secure your logins with advanced FIDO2 MFA options. *
Defense #2 It’s when, not if: Hunt your shadows before they hunt you
It’s time to pivot from “Could they get in?” to “Where would they hide?”
Most cyber espionage activity is categorized as an advanced persistent threat (APT), where attackers establish long lived presence in your network.
So, they may already be inside.
Instead of trying to stop them, start trying to find them.
This means:
- Shifting from rule-based DLP to AI-powered UEBA (user & behavior analytics) to detect the rapid, subtle patterns associated with AI-powered intrusions. UEBA continuously tracks, learns, and adapts.
It can create behavioral baselines and instantly flag deviations, like an engineer logging in to a source code repository at 3AM and performing multiple suspicious activities within a short time frame.
- Using tools like CrowdStrike's Threat AI Hunt Agent for proactive threat hunting. According to the 2025 Crowdstrike Threat Hunting report, 81% of intrusions in 2025 were malware-free, relying instead on credential theft and abuse of valid accounts.
With Hunt Agent, you get automated, continuous threat hunting, so your analysts get the visibility they need to respond smarter and faster. This combines AI speed and scale with human expertise to thwart cyber espionage.
- Reducing cross-domain visibility gaps by correlating telemetry from UEBA, endpoints, and identity systems (Active Directory, LastPass) into SIEMs to get unified visibility across cloud, network, and identity systems
- Integrating whole-person risk management into insider threat detection programs, which tracks non-technical indicators like erratic behavior, workplace conflicts, social media activity, legal issues, and financial stress indicators
See the new way forward? This hybrid model of integrating AI-powered threat detection with human expertise is going to be the one that effectively closes the gap for your business.
Defense #3 Segment your network like your business depends on it (because it does)
Many business networks are like an open floor plan.
Once attackers are in, they can go anywhere.
In the GTG-1002 campaign, AI autonomously performed lateral movement and privilege escalation after initial access.
Don’t make it easy for attackers. Implement micro-segmentation to:
- Enforce visibility and control over ingress traffic by defining which external sources can talk to your systems
- Restrict egress traffic to prevent workloads from sending data to unauthorized destinations – critical for stopping data exfiltration
If an attacker compromises one part of your network, they shouldn’t have access to everything else.
Defense #4 Protect them: Your employees are either your first line of defense (or your weakest link)
Your biggest vulnerability isn’t your firewall.
It's the employee who, out of curiosity, clicks every link they see in their email.
Or the contractor who left three months ago but still has VPN access.
Remember, nation-state hackers are studying your employees. To protect your team, implement:
- Security awareness training that doesn’t put people to sleep
- Cyber risk training for high-value targets and board of directors
- Tools like RanSim to identify workstations vulnerable to ransomware or crypto miners
- Pre-hire and post-hire protection measures and thorough verifications checks to scope out state-backed operatives
- Clear reporting procedures for suspicious activity
- A culture where security is everyone’s responsibility, not just IT’s.
Remember: Visibility includes human eyes capturing what security tools miss.
Defense #5 Use cyber threat intelligence to catch inside jobs
Here’s something that may shock you.
Worldwide, we spend a lot on next-gen firewalls, intrusion detection systems, XDRs, and SIEMs. In 2025 alone, businesses shelled out $212 billion for these tools.
That’s a 15% increase from 2024’s $183.9 billion (about $570 per person in the US).
But we’re still buried in logs, overwhelmed by a daily avalanche of false positives, and getting breached.
This is where cyber threat intelligence comes in.
Cyber threat intelligence helps you anticipate, detect, and respond to threats.
There’s, however, a difference between data and intelligence.
Data tells you someone is trying to get in.
Intelligence tells you who it is, what they can do, who they’re targeting, and what they want.
There are five (5) types of threat intelligence that are relevant to your business:
#1: Human intel (HUMINT): This is what you find out by talking to or watching your employees. For your business, it means watching for insider threats and identifying who might be a target.
#2: Signals intel (SIGINT): This is interception of electronic signals and communications. For your business, it means detecting unauthorized surveillance and protecting sensitive communications.
#3: Open-source intel (OSINT): This is public data you can pull from social media, job listings, forums, and news sites. For your business, it means checking for external threats and getting early warning signs of an attack.
#4: Imagery intel (IMINT): Pictures tell stories. For your business, drone or satellite imagery can be used to monitor sensitive installations, warehouses, and employee activity.
#5: Cyber intel (CYBINT): This is intelligence you get from monitoring network traffic, threat feeds, malware repositories, the Dark Web, honeypots, and leaked datasets. For your business, it means knowing how to spot patterns and correlate attacker behavior with geopolitical events.
For example, an attack on a defense contractor in a region experiencing diplomatic tensions could affect your compliance obligations and supply chain decisions.
Now, we arrive at the question that terrifies every security professional.
Do attackers use cyber threat intelligence?
If you have intelligence, do attackers have the same?
The answer is yes.
And it’s far worse than you imagine.
Remember: The GTG-1002 attackers directed Claude to autonomously perform up to 90% of attack operations, including reconnaissance, vulnerability discovery, credential harvesting, lateral movement, and data exfiltration.
So, here’s a question: If your adversaries are using AI-powered threat intelligence to attack you at machine speed, are you still defending yourself at human speed?
You need to know:
- Who’s targeting your industry
- What techniques they’re using
- What vulnerabilities they’re exploiting
- What indicators of compromise to watch for
Threat intelligence uncovers hidden threats, so your security team can make informed decisions and prepare for unforeseen attacks.
Defense #6 Craft an incident response plan (that actually works when everything’s on fire)
When you’re under attack, does your team know:
- Who to call?
- What systems to shut down?
- How to preserve evidence?
- Who handles the press?
- Who talks to customers?
You need:
#1 A documented incident response plan with:
- Clear roles and responsibilities
- Communication templates
- Contact lists (internal teams, legal counsel, law enforcement)
- Evidence preservation procedures
- Detection & analysis process checklist
- Containment, eradication, and recovery checklist
- Post-incident activity checklist
#2 Regular tabletop exercises involving key C-suite, board representatives, and department heads
- Testing your incident response plan is critical. Simulate a breach and walk through your response. Visibility means having clear response options when seconds count.
Defense #7 Prioritize the one thing most businesses ignore: third-party risk management
How secure are your vendor and supply chain partner platforms?
Every third party with access to your network is a potential entry point.
According to CISA’s SCRM (Supply Chain Risk Management) Essentials guide, third-party risk management boils down to three (3) imperatives:
- Knowing who’s in your supply chain
- Knowing what security practices they use
- Knowing when things change
CISA breaks it down in six (6) essential steps:
- Step 1 Identify the people: Build a cross-functional team and ensure personnel at all levels are trained in the security procedures of their role.
- Step 2 Manage security & compliance: Document a set of policies and procedures that address security, integrity, resilience and quality. Base them on NIST standards.
- Step 3 Assess the components: Create an inventory of every hardware, software, or service you procure. Know which systems are critical and which have remote access that needs protection against unauthorized access.
- Step 4 Know your supply chain & suppliers: Identify your upstream suppliers and their sources. Require SBOM (software bill of materials) compliance to gain visibility into the components they use. This helps reduce the likelihood of threat actors exploiting vulnerabilities to plant backdoors or introduce compromised libraries.
- Step 5 Verify third-party assurance: Verify that suppliers maintain an adequate security culture and an active SCRM (supply chain risk management) program to address concerns relevant to your business
- Step 6 Evaluate: This is where you determine how effective your SCRM program is, whether suppliers are still meeting their security commitments, and how quickly backup suppliers can deliver in the face of an attack. This is also where you review lessons learned from incidents or near misses and revise policies based on emerging threats.
Remember, visibility means watching and securing every door.
The first order of things? Get visibility at the front door by protecting your SaaS and business logins with SaaS Monitoring + SaaS Protect.
Sources
Anthropic article: Disrupting the first reported AI-orchestrated cyber espionage campaign
Anthropic whitepaper: Disrupting the first reported AI-orchestrated cyber espionage campaign
The New York Times: A.I agents usher in a new era of cyber espionage
AI agent does the hacking: First documented AI-orchestrated cyber espionage
From espionage to cyber espionage
The Defense Counterintelligence and Security Agency (DCSA): Cyber espionage
CISA: Countering PRC state sponsored actors’ compromise of networks worldwide
Board members struggling to understand cyber risks
Tech Target: Asymmetric cyber attacks
What is the hybrid resilience initiative?
CSIS: Significant cyber incidents
ISA Global Cybersecurity Alliance: Defending against state-sponsored cyber attacks
CISA and NSA: Cloud security best practices
Mayer Brown: 2025 cyber incident trends and what your business needs to know
AI-powered cybersecurity: New tools combat evolving threats in real time
