Customer story

High-precision manufacturing / medtech & opticsEurope & GlobalAnonymized

Disrupting state-sponsored recon and credential exposure against a high-precision manufacturer

State-linked actors targeted engineers and admin portals at a medtech/optics manufacturer. Unit6 neutralized exposed credentials and hardened privileged access before exploitation.

MITRE T1592MITRE T1598MITRE T1078MITRE T1081
Book a demoExplore the platform

The situation

A renowned manufacturer of optical and medical technologies became the focus of Chinese-linked reconnaissance. Unit6 saw targeting of privileged staff and exposure of credentials tied to an internal administrative portal.

What Unit6 detected

  • Focused reconnaissance against public-facing and semi-exposed assets.
  • Targeting of named engineers and privileged support staff.
  • Exposure of valid credentials linked to a critical internal administrative portal.
  • Additional exposed administrative identities indicating partner or contractor risk.

Why it mattered

  • Deep visibility into customer, device, or clinical deployments.
  • Ability to alter configurations or profiles with safety or reliability implications.
  • Stepping stone into R&D, IP repositories, or manufacturing networks.
  • Erosion of trust from healthcare and enterprise customers.

What Unit6 did

Neutralized exposed identities

  • Reset all known exposed credentials and related accounts.
  • Enforced MFA for all privileged users and administrative access, including contractors.

Interrogated potential misuse

  • Reviewed admin portal logs for unusual access, geographic anomalies, and privilege changes.
  • Searched for signs of persistence, new accounts, or unexpected configuration changes.

Hardened privileged access and segmentation

  • Implemented stricter role-based access and just-in-time admin mechanisms.
  • Increased monitoring on lateral movement paths from admin portals toward core IP and production environments.

Proactive threat hunting

  • Used Unit6 indicators to search for implants, suspicious tooling, and C2 traces across the network.
  • Monitored for continued targeting of high-value individuals.

Outcome

  • Privileged accounts secured before evidence of large-scale exploitation.
  • Privileged access management strengthened, reducing blast radius of future compromises.
  • Leadership communicated a clear narrative of early detection and swift mitigation.

Unit6 edge

  • Combining identity-level exposure with person-level targeting of high-value staff.
  • Focus on how credential leaks intersect with critical portals and operations.
  • Guidance that evolved the client from password resets to threat-informed privileged access strategy.

Browse other stories

See more anonymized wins

Back to all stories
Specialty chemicals / industrial manufacturingNorth America & Europe

Stopping a nation-state from reaching industrial OT via a SaaS monitoring platform

An East Asia-aligned actor used stolen credentials to access an OT monitoring SaaS. Unit6 cut the access path and rebuilt controls before the adversary could reach production lines.

Healthcare / hospital systemNorth America

Preventing ransomware by catching an MFA bypass against a healthcare claims portal

A ransomware-linked actor marketed access to a children’s hospital claims portal, including the MFA secret. Unit6 shut down the identity and drove phishing-resistant controls before patient data was touched.

Outsourcing / workforce management / BPOEMEA

Exposing a multi-actor campaign against HR, payroll, and internal portals

Multiple actor clusters targeted an outsourcing firm’s kiosk, HR, and payroll surfaces simultaneously. Unit6 treated it as one campaign, closing credential abuse and hardening exposed services quickly.

IT services / systems integratorMiddle East

Catching a helpdesk brute-force compromise before it became a company-wide breach

A regional IT services provider exposed its ServiceDesk login without rate limits. Unit6 spotted the shift from brute-force to successful use, shut it down, and rebuilt access controls.

Satellite communicationsGlobal

Catching a nation-state’s brute-force campaign against a global satellite operator

A Chinese-directed cluster brute-forced internal support portals for a satellite operator and took over accounts. Unit6 surfaced the compromise and rebuilt authentication before operations were touched.

Fintech / payments processingGlobal

Detecting AI-powered brute forcing against a fintech customer portal

AI-augmented actors brute-forced and sprayed a payments portal, taking over customer accounts. Unit6 cut off access, drove mandatory MFA, and hardened defenses against adaptive attacks.

Aerospace & aviation communicationsGlobal

Early warning on initial access broker claims against aviation messaging systems

Unit6 spotted a broker selling access to an aviation messaging platform before abuse began. Accounts and endpoints were hardened and a rapid-response plan put in place.

Enterprise software / communicationsGlobal

Dual nation-state intrusion into a critical file transfer system — detected before impact

Two unrelated nation-state actors exploited the same secure file transfer stack simultaneously. Unit6 surfaced both compromises and stopped large-scale exfiltration before internal teams saw anomalies.

SaaS / business intelligence platformGlobal

Supply-chain ransomware campaign leveraging a compromised SaaS administrator — multi-tenant threat stopped early

A ransomware group weaponized trusted admin pathways inside a business intelligence SaaS. Unit6 saw the compromise, coordinated fast revocation, and blocked cross-customer propagation.

Pharmaceuticals / healthcareGlobal

Supply-chain intrusion into a global pharmaceutical enterprise — pre-ransomware phase blocked

A Sophisticated Threat Actor attempted to pivot from a compromised SaaS provider into a pharmaceutical company via trusted admin links. Unit6 severed trust and stopped the intrusion in the staging phase.