Customer story

Satellite communicationsGlobalAnonymized

Catching a nation-state’s brute-force campaign against a global satellite operator

A Chinese-directed cluster brute-forced internal support portals for a satellite operator and took over accounts. Unit6 surfaced the compromise and rebuilt authentication before operations were touched.

MITRE T1110MITRE T1078MITRE T1086
Book a demoExplore the platform

The situation

A global satellite communications operator exposed internal support and management portals with weak, inconsistent MFA. Unit6 observed a Chinese-directed threat cluster systematically brute-forcing and successfully compromising multiple accounts.

What Unit6 detected

  • Focused brute-force activity against internal support portals.
  • Confirmed valid username/password combinations for multiple internal user accounts.
  • Evidence of successful interactive logins shortly after brute-force bursts.

Why it mattered

  • Reconnaissance on satellite configurations, customers, and routing.
  • Interference with internal workflows supporting satellite operations.
  • Lateral movement into more sensitive environments.
  • Espionage or timed disruption of critical communications.

What Unit6 did

Contained active compromise

  • Identified and reset all compromised internal accounts.
  • Invalidated active sessions and tightened access rights for support users.

Raised the bar on authentication

  • Enforced MFA on all internal support portals and high-risk internal applications.
  • Introduced rate limiting and account lockout policies on exposed login panels.

Enhanced monitoring and hygiene

  • Deployed detections for repeated failed logins and unusual login locations.
  • Ran focused credential hygiene campaigns for internal staff.

Outcome

  • Multiple compromised accounts were neutralized before deeper pivot.
  • Critical portals moved from password-only to hardened, monitored access.
  • Executives saw how adversary-centric visibility reduced operational risk for space infrastructure.

Unit6 edge

  • Tracing nation-state brute-force behavior from attacker infrastructure into specific internal portals and accounts.
  • Campaign-level visibility that turned brute-force noise into confirmed compromise.
  • Rapid, practical guidance implemented by operations teams without re-architecting systems.

Browse other stories

See more anonymized wins

Back to all stories
Specialty chemicals / industrial manufacturingNorth America & Europe

Stopping a nation-state from reaching industrial OT via a SaaS monitoring platform

An East Asia-aligned actor used stolen credentials to access an OT monitoring SaaS. Unit6 cut the access path and rebuilt controls before the adversary could reach production lines.

Healthcare / hospital systemNorth America

Preventing ransomware by catching an MFA bypass against a healthcare claims portal

A ransomware-linked actor marketed access to a children’s hospital claims portal, including the MFA secret. Unit6 shut down the identity and drove phishing-resistant controls before patient data was touched.

Outsourcing / workforce management / BPOEMEA

Exposing a multi-actor campaign against HR, payroll, and internal portals

Multiple actor clusters targeted an outsourcing firm’s kiosk, HR, and payroll surfaces simultaneously. Unit6 treated it as one campaign, closing credential abuse and hardening exposed services quickly.

IT services / systems integratorMiddle East

Catching a helpdesk brute-force compromise before it became a company-wide breach

A regional IT services provider exposed its ServiceDesk login without rate limits. Unit6 spotted the shift from brute-force to successful use, shut it down, and rebuilt access controls.

Fintech / payments processingGlobal

Detecting AI-powered brute forcing against a fintech customer portal

AI-augmented actors brute-forced and sprayed a payments portal, taking over customer accounts. Unit6 cut off access, drove mandatory MFA, and hardened defenses against adaptive attacks.

Aerospace & aviation communicationsGlobal

Early warning on initial access broker claims against aviation messaging systems

Unit6 spotted a broker selling access to an aviation messaging platform before abuse began. Accounts and endpoints were hardened and a rapid-response plan put in place.

High-precision manufacturing / medtech & opticsEurope & Global

Disrupting state-sponsored recon and credential exposure against a high-precision manufacturer

State-linked actors targeted engineers and admin portals at a medtech/optics manufacturer. Unit6 neutralized exposed credentials and hardened privileged access before exploitation.

Enterprise software / communicationsGlobal

Dual nation-state intrusion into a critical file transfer system — detected before impact

Two unrelated nation-state actors exploited the same secure file transfer stack simultaneously. Unit6 surfaced both compromises and stopped large-scale exfiltration before internal teams saw anomalies.

SaaS / business intelligence platformGlobal

Supply-chain ransomware campaign leveraging a compromised SaaS administrator — multi-tenant threat stopped early

A ransomware group weaponized trusted admin pathways inside a business intelligence SaaS. Unit6 saw the compromise, coordinated fast revocation, and blocked cross-customer propagation.

Pharmaceuticals / healthcareGlobal

Supply-chain intrusion into a global pharmaceutical enterprise — pre-ransomware phase blocked

A Sophisticated Threat Actor attempted to pivot from a compromised SaaS provider into a pharmaceutical company via trusted admin links. Unit6 severed trust and stopped the intrusion in the staging phase.