Report: AI Now Running Live Cyberattacks

0
Artificial intelligence (AI)
Artificial intelligence (AI)

A new Check Point Research report says artificial intelligence has moved from assisting hackers to running cyberattacks directly, citing a breach that exposed 400 million Mexican government records.

The Annual AI Security Report 2026 traces the shift to a campaign uncovered after researchers recovered material from an attacker’s own servers. Between late December 2025 and mid February 2026, a single operator breached nine Mexican government agencies, reaching tax records, civil registry data, vehicle records, patient files and electoral data. According to the report, the attacker typed just 1,088 instructions but generated 5,317 AI executed commands across 34 sessions, running two commercial AI tools in parallel, one handling live network exploitation and the other analysing stolen data and assigning follow on tasks. Researchers noted the exploitation tool initially declined to assist with the attack, and that the operator got around this by placing instructions inside a configuration file the tool reads automatically at the start of every session, a workaround that let the bypass persist without needing to be repeated.

Check Point ties the Mexico case to a wider pattern rather than an isolated incident. It points to a campaign Anthropic itself disclosed in November 2025, tracked as GTG-1002, in which a Chinese linked espionage operation is reported to have had an AI coding tool carry out an estimated 80 to 90 percent of the tactical work, including reconnaissance and lateral movement, across roughly 30 targets. The report also cites a case in which a single developer used an AI environment to produce an 88,000 line command and control framework in under a week, evidence that sophisticated attack tooling no longer requires a large technical team.

The speed of the shift has already forced regulatory responses. The report says AI can now turn a freshly disclosed vulnerability into a working exploit within hours rather than days, prompting the United States’ CISA to require agencies to fix the highest risk vulnerabilities within three days and India’s CERT-In to recommend a 12 hour window for critical, internet facing systems. Check Point’s own researchers disclosed two vulnerabilities in how AI coding tools handle project configuration files, since patched, and noted several other coding assistants share the same underlying design.

Beyond live intrusions, the report flags AI as a growing target and a growing liability inside ordinary business use. Detections of long, malicious prompt injection payloads rose roughly fivefold between March and May, approaching one percent of all observed prompts by May. Trained reviewers correctly identified only about 41 percent of AI generated faces, a gap Check Point says makes visual identity checks unreliable on their own. High risk enterprise AI prompts doubled over the year, from one in every 50 interactions to one in every 25, with the Business Services sector worst affected at close to one in 14 by May. Most of that exposure, the report stresses, comes not from attacks but from employees using approved AI tools and sharing more information than they realise to get a useful answer.

For African organisations, Check Point’s Shayimamba Conco said the shift raises the stakes on ransomware, business email compromise and banking fraud alike. “AI is making cyberattacks faster, more convincing, and harder to detect,” he said, urging businesses to adopt Zero Trust principles, strengthen identity verification and treat cyber resilience as a core business priority rather than a purely technical one. Check Point frames its own response around three pillars, securing the AI systems organisations now depend on, matching attackers’ speed with AI powered defence, and governing how staff use AI tools day to day.

Send your news stories to [email protected] Follow News Ghana on Google News

LEAVE A REPLY

Please enter your comment!
Please enter your name here