Customer story

Enterprise software / communicationsGlobalAnonymized

Dual nation-state intrusion into a critical file transfer system — detected before impact

Two unrelated nation-state actors exploited the same secure file transfer stack simultaneously. Unit6 surfaced both compromises and stopped large-scale exfiltration before internal teams saw anomalies.

MITRE T1190MITRE T1041MITRE T1078MITRE T1210
Book a demoExplore the platform

The situation

A global technology provider ran an on-premises secure file transfer solution for internal and customer delivery. Active exploitation in the wild made the stack a high-value target. Unit6 confirmed two unrelated nation-state clusters — one Chinese-aligned, one Russian-aligned — had already penetrated the SFT infrastructure.

What Unit6 detected

  • Concurrent intrusions from two distinct state-backed clusters against the same SFT environment.
  • Successful exploitation of an identical (or near-identical) secure file transfer vulnerability chain.
  • Stage 3 compromise with active multi-gigabyte exfiltration flowing from the SFT nodes.
  • Evidence of access beyond the SFT environment, indicating internal movement was underway.
  • Both actors had identified the same exposed weakness, gained privileged access, and begun siphoning intellectual property while expanding into adjacent systems.

Why it mattered

  • Massive loss of proprietary information and strategic communications.
  • Covert, privileged visibility into internal systems with minimal logging noise.
  • Potential for persistent backdoors that survive containment.
  • Exposure of customer data, supply-chain relationships, and product IP.

What Unit6 did

Contained and isolated SFT infrastructure

  • Immediately shut down and isolated compromised secure file transfer nodes.
  • Revoked all credentials, tokens, and secrets tied to SFT access.

Separated the two nation-state footprints

  • Attributed activity to Chinese- versus Russian-aligned clusters.
  • Segregated indicators, timelines, and operational behavior for each actor.

Hardened against the exploited chain

  • Guided emergency patching and compensating controls for the vulnerable SFT path.
  • Rapidly uplifted authentication and network segmentation around the service.

Enabled forensic clarity and legal readiness

  • Mapped what data had been accessed or exfiltrated and tracked internal movement paths.
  • Calibrated legal, regulatory, and customer-impact escalations with leadership.

Outcome

  • Both ongoing exfiltration operations were interrupted mid-stream.
  • Leadership gained visibility into two separate espionage campaigns they would not have seen internally.
  • Strategic customer and product data were protected from further leakage.

Unit6 edge

  • Detection of parallel nation-state intrusions before internal logs registered anomalies.
  • Multi-actor correlation that revealed two campaigns instead of a single intrusion.
  • Executive-ready intelligence that transformed a catastrophic scenario into a contained incident.

Browse other stories

See more anonymized wins

Back to all stories
Specialty chemicals / industrial manufacturingNorth America & Europe

Stopping a nation-state from reaching industrial OT via a SaaS monitoring platform

An East Asia-aligned actor used stolen credentials to access an OT monitoring SaaS. Unit6 cut the access path and rebuilt controls before the adversary could reach production lines.

Healthcare / hospital systemNorth America

Preventing ransomware by catching an MFA bypass against a healthcare claims portal

A ransomware-linked actor marketed access to a children’s hospital claims portal, including the MFA secret. Unit6 shut down the identity and drove phishing-resistant controls before patient data was touched.

Outsourcing / workforce management / BPOEMEA

Exposing a multi-actor campaign against HR, payroll, and internal portals

Multiple actor clusters targeted an outsourcing firm’s kiosk, HR, and payroll surfaces simultaneously. Unit6 treated it as one campaign, closing credential abuse and hardening exposed services quickly.

IT services / systems integratorMiddle East

Catching a helpdesk brute-force compromise before it became a company-wide breach

A regional IT services provider exposed its ServiceDesk login without rate limits. Unit6 spotted the shift from brute-force to successful use, shut it down, and rebuilt access controls.

Satellite communicationsGlobal

Catching a nation-state’s brute-force campaign against a global satellite operator

A Chinese-directed cluster brute-forced internal support portals for a satellite operator and took over accounts. Unit6 surfaced the compromise and rebuilt authentication before operations were touched.

Fintech / payments processingGlobal

Detecting AI-powered brute forcing against a fintech customer portal

AI-augmented actors brute-forced and sprayed a payments portal, taking over customer accounts. Unit6 cut off access, drove mandatory MFA, and hardened defenses against adaptive attacks.

Aerospace & aviation communicationsGlobal

Early warning on initial access broker claims against aviation messaging systems

Unit6 spotted a broker selling access to an aviation messaging platform before abuse began. Accounts and endpoints were hardened and a rapid-response plan put in place.

High-precision manufacturing / medtech & opticsEurope & Global

Disrupting state-sponsored recon and credential exposure against a high-precision manufacturer

State-linked actors targeted engineers and admin portals at a medtech/optics manufacturer. Unit6 neutralized exposed credentials and hardened privileged access before exploitation.

SaaS / business intelligence platformGlobal

Supply-chain ransomware campaign leveraging a compromised SaaS administrator — multi-tenant threat stopped early

A ransomware group weaponized trusted admin pathways inside a business intelligence SaaS. Unit6 saw the compromise, coordinated fast revocation, and blocked cross-customer propagation.

Pharmaceuticals / healthcareGlobal

Supply-chain intrusion into a global pharmaceutical enterprise — pre-ransomware phase blocked

A Sophisticated Threat Actor attempted to pivot from a compromised SaaS provider into a pharmaceutical company via trusted admin links. Unit6 severed trust and stopped the intrusion in the staging phase.