Customer story

Aerospace & aviation communicationsGlobalAnonymized

Early warning on initial access broker claims against aviation messaging systems

Unit6 spotted a broker selling access to an aviation messaging platform before abuse began. Accounts and endpoints were hardened and a rapid-response plan put in place.

MITRE T1078MITRE T1586MITRE T1190
Book a demoExplore the platform

The situation

A major aerospace vendor relies on a messaging and tracking platform connecting flight crews and operations. Unit6 identified a Chinese-linked initial access broker publicly claiming access to this environment.

What Unit6 detected

  • A reputable broker advertising access to the flight messaging and tracking platform.
  • References indicating access via compromised credentials or exposed access vectors.
  • Signals that the broker was positioning the access for resale to other actors.

Why it mattered

  • Intercepting, altering, or delaying sensitive operational messages.
  • Using the platform as a foothold into broader aviation or enterprise networks.
  • Staging disruptive or safety-impacting operations or long-term intelligence collection.

What Unit6 did

Validated and narrowed likely access paths

  • Cross-referenced broker claims with known endpoints, identity stores, and integration paths.
  • Identified high-value user groups and integration accounts that could be targeted.

Locked down potential compromised credentials

  • Triggered password resets and MFA enforcement on accounts linked to the platform.
  • Reviewed and tightened service account usage and cross-system tokens.

Increased visibility on the platform

  • Enhanced logging around login events, message operations, configuration changes, and data export.
  • Implemented rules to flag unusual bulk access or atypical usage patterns.

Planned for incident response

  • Established a rapid containment playbook if active misuse emerged.
  • Integrated broker and actor infrastructure indicators into SOC tooling.

Outcome

  • Early warning of an emerging access sale before broader abuse.
  • Key accounts and endpoints hardened, reducing the value of advertised access.
  • Leadership briefed stakeholders with concrete intelligence instead of speculation.

Unit6 edge

  • Deep visibility into initial access broker ecosystems beyond generic threat feeds.
  • Ability to connect a single access claim to specific systems, identities, and operational risks.
  • Repeatable playbook turning IAB intelligence into pre-emptive defenses.

Browse other stories

See more anonymized wins

Back to all stories
Specialty chemicals / industrial manufacturingNorth America & Europe

Stopping a nation-state from reaching industrial OT via a SaaS monitoring platform

An East Asia-aligned actor used stolen credentials to access an OT monitoring SaaS. Unit6 cut the access path and rebuilt controls before the adversary could reach production lines.

Healthcare / hospital systemNorth America

Preventing ransomware by catching an MFA bypass against a healthcare claims portal

A ransomware-linked actor marketed access to a children’s hospital claims portal, including the MFA secret. Unit6 shut down the identity and drove phishing-resistant controls before patient data was touched.

Outsourcing / workforce management / BPOEMEA

Exposing a multi-actor campaign against HR, payroll, and internal portals

Multiple actor clusters targeted an outsourcing firm’s kiosk, HR, and payroll surfaces simultaneously. Unit6 treated it as one campaign, closing credential abuse and hardening exposed services quickly.

IT services / systems integratorMiddle East

Catching a helpdesk brute-force compromise before it became a company-wide breach

A regional IT services provider exposed its ServiceDesk login without rate limits. Unit6 spotted the shift from brute-force to successful use, shut it down, and rebuilt access controls.

Satellite communicationsGlobal

Catching a nation-state’s brute-force campaign against a global satellite operator

A Chinese-directed cluster brute-forced internal support portals for a satellite operator and took over accounts. Unit6 surfaced the compromise and rebuilt authentication before operations were touched.

Fintech / payments processingGlobal

Detecting AI-powered brute forcing against a fintech customer portal

AI-augmented actors brute-forced and sprayed a payments portal, taking over customer accounts. Unit6 cut off access, drove mandatory MFA, and hardened defenses against adaptive attacks.

High-precision manufacturing / medtech & opticsEurope & Global

Disrupting state-sponsored recon and credential exposure against a high-precision manufacturer

State-linked actors targeted engineers and admin portals at a medtech/optics manufacturer. Unit6 neutralized exposed credentials and hardened privileged access before exploitation.

Enterprise software / communicationsGlobal

Dual nation-state intrusion into a critical file transfer system — detected before impact

Two unrelated nation-state actors exploited the same secure file transfer stack simultaneously. Unit6 surfaced both compromises and stopped large-scale exfiltration before internal teams saw anomalies.

SaaS / business intelligence platformGlobal

Supply-chain ransomware campaign leveraging a compromised SaaS administrator — multi-tenant threat stopped early

A ransomware group weaponized trusted admin pathways inside a business intelligence SaaS. Unit6 saw the compromise, coordinated fast revocation, and blocked cross-customer propagation.

Pharmaceuticals / healthcareGlobal

Supply-chain intrusion into a global pharmaceutical enterprise — pre-ransomware phase blocked

A Sophisticated Threat Actor attempted to pivot from a compromised SaaS provider into a pharmaceutical company via trusted admin links. Unit6 severed trust and stopped the intrusion in the staging phase.