Customer story

Specialty chemicals / industrial manufacturingNorth America & EuropeAnonymized

Stopping a nation-state from reaching industrial OT via a SaaS monitoring platform

An East Asia-aligned actor used stolen credentials to access an OT monitoring SaaS. Unit6 cut the access path and rebuilt controls before the adversary could reach production lines.

MITRE T1555MITRE T1078MITRE T1595
Book a demoExplore the platform

The situation

A global manufacturer depended on an externally accessible SaaS platform to monitor OT assets across plants. Unit6 telemetry showed a nation-state actor logging into that platform with valid credentials.

What Unit6 detected

  • Valid username/password for an OT monitoring SaaS account belonging to the client.
  • Proof of attempted and successful logins into the platform from actor infrastructure.
  • Reconnaissance and scanning behavior against OT assets consistent with credential abuse.
  • Discovery came from external threat infrastructure and stealer data—not internal logs.

Why it mattered

  • Detailed reconnaissance of OT assets and configurations could precede sabotage.
  • Manipulation of process parameters through the SaaS control surface.
  • Using the SaaS environment as a bridge into internal IT networks.
  • Operational disruption or espionage without early internal warning.

What Unit6 did

Validated and neutralized access

  • Shared proof of credential validity and observed logins with OT and security teams.
  • Guided immediate credential revocation and session invalidation.

Hardened OT-adjacent SaaS access

  • Rolled out MFA for OT SaaS accounts and tightened role-based access.
  • Added IP restrictions to shrink exposure windows for operators.

Expanded OT and IT threat hunting

  • Reviewed OT network traffic and SaaS audit logs for lateral movement or tampering.
  • Checked for configuration changes and exfiltration attempts tied to the compromised account.

Outcome

  • Compromised access revoked before deeper pivot or disruption.
  • OT SaaS access model rebuilt with MFA, least privilege, and monitoring.
  • Board received a clear demonstration that Unit6 surfaces OT risks before plant impact.

Unit6 edge

  • External, actor-centric visibility into nation-state behavior targeting industrial SaaS.
  • Cross-source correlation of stealer data, credential listings, and sensor telemetry to confirm real access.
  • Translation of technical findings into operational OT risk for both engineers and executives.

Browse other stories

See more anonymized wins

Back to all stories
Healthcare / hospital systemNorth America

Preventing ransomware by catching an MFA bypass against a healthcare claims portal

A ransomware-linked actor marketed access to a children’s hospital claims portal, including the MFA secret. Unit6 shut down the identity and drove phishing-resistant controls before patient data was touched.

Outsourcing / workforce management / BPOEMEA

Exposing a multi-actor campaign against HR, payroll, and internal portals

Multiple actor clusters targeted an outsourcing firm’s kiosk, HR, and payroll surfaces simultaneously. Unit6 treated it as one campaign, closing credential abuse and hardening exposed services quickly.

IT services / systems integratorMiddle East

Catching a helpdesk brute-force compromise before it became a company-wide breach

A regional IT services provider exposed its ServiceDesk login without rate limits. Unit6 spotted the shift from brute-force to successful use, shut it down, and rebuilt access controls.

Satellite communicationsGlobal

Catching a nation-state’s brute-force campaign against a global satellite operator

A Chinese-directed cluster brute-forced internal support portals for a satellite operator and took over accounts. Unit6 surfaced the compromise and rebuilt authentication before operations were touched.

Fintech / payments processingGlobal

Detecting AI-powered brute forcing against a fintech customer portal

AI-augmented actors brute-forced and sprayed a payments portal, taking over customer accounts. Unit6 cut off access, drove mandatory MFA, and hardened defenses against adaptive attacks.

Aerospace & aviation communicationsGlobal

Early warning on initial access broker claims against aviation messaging systems

Unit6 spotted a broker selling access to an aviation messaging platform before abuse began. Accounts and endpoints were hardened and a rapid-response plan put in place.

High-precision manufacturing / medtech & opticsEurope & Global

Disrupting state-sponsored recon and credential exposure against a high-precision manufacturer

State-linked actors targeted engineers and admin portals at a medtech/optics manufacturer. Unit6 neutralized exposed credentials and hardened privileged access before exploitation.

Enterprise software / communicationsGlobal

Dual nation-state intrusion into a critical file transfer system — detected before impact

Two unrelated nation-state actors exploited the same secure file transfer stack simultaneously. Unit6 surfaced both compromises and stopped large-scale exfiltration before internal teams saw anomalies.

SaaS / business intelligence platformGlobal

Supply-chain ransomware campaign leveraging a compromised SaaS administrator — multi-tenant threat stopped early

A ransomware group weaponized trusted admin pathways inside a business intelligence SaaS. Unit6 saw the compromise, coordinated fast revocation, and blocked cross-customer propagation.

Pharmaceuticals / healthcareGlobal

Supply-chain intrusion into a global pharmaceutical enterprise — pre-ransomware phase blocked

A Sophisticated Threat Actor attempted to pivot from a compromised SaaS provider into a pharmaceutical company via trusted admin links. Unit6 severed trust and stopped the intrusion in the staging phase.