Supply-chain intrusion into a global pharmaceutical enterprise — pre-ransomware phase blocked

A Sophisticated Threat Actor attempted to pivot from a compromised SaaS provider into a pharmaceutical company via trusted admin links. Unit6 severed trust and stopped the intrusion in the staging phase.

MITRE T1078MITRE T1087MITRE T1069MITRE T1482

Book a demo Explore the platform

The situation

A global pharmaceutical company consumed services from a business intelligence platform that had suffered a privileged admin compromise by the Sophisticated Threat Actor. Using trusted admin pathways, the adversary began pivoting from the SaaS platform into multiple customers, including the pharmaceutical enterprise.

What Unit6 detected

Authenticated access into pharmaceutical systems originating from the compromised SaaS provider.
Enumeration of internal shares, privileged directories, and user accounts.
Attempts at privilege escalation and persistence within the environment.
Pre-ransomware staging matched to Sophisticated Threat Actor tradecraft, confirming lineage from the SaaS provider breach.

Why it mattered

Intrusion appeared legitimate due to trusted SaaS-provider credentials.
Immediate privileged visibility into sensitive research and supply-chain environments.
Imminent setup phase of a ransomware event with potential to disrupt manufacturing and research.
Risk of exposing regulated data with downstream compliance and safety impacts.

What Unit6 did

Severed trust with the compromised provider

Invalidated all authentication tokens, SSO links, and API keys with the SaaS platform.
Implemented temporary segmentation between integration layers and production networks.

Reset and hardened privileged access

Forced credential resets and fresh MFA enrollment for high-value identities.
Tightened privileged access patterns to limit blast radius.

Hunted for attacker footprint

Reviewed logs tied to SaaS-originating access paths for enumeration, anomalous commands, scheduled tasks, and persistence.
Validated that no malicious payloads or implants were deployed.

Activated ransomware-blocking controls

Enabled EDR actions to interrupt encryption behavior and ensured backup availability with isolation.
Monitored outbound connections for exfiltration tendencies.

Outcome

The pharmaceutical enterprise avoided an imminent ransomware event.
The attack chain was disrupted between environment enumeration and payload deployment.
The organization gained full visibility into the supply-chain connection enabling the intrusion.

Unit6 edge

Supply-chain attack correlation across SaaS and customer ecosystems.
Early recognition of the Sophisticated Threat Actor’s ransomware pre-staging patterns.
Intelligence-driven containment that prevented multi-tenant ransomware detonation across industries.

Browse other stories

See more anonymized wins

Back to all stories

Specialty chemicals / industrial manufacturingNorth America & Europe

Stopping a nation-state from reaching industrial OT via a SaaS monitoring platform

An East Asia-aligned actor used stolen credentials to access an OT monitoring SaaS. Unit6 cut the access path and rebuilt controls before the adversary could reach production lines.

Healthcare / hospital systemNorth America

Preventing ransomware by catching an MFA bypass against a healthcare claims portal

A ransomware-linked actor marketed access to a children’s hospital claims portal, including the MFA secret. Unit6 shut down the identity and drove phishing-resistant controls before patient data was touched.

Outsourcing / workforce management / BPOEMEA

Exposing a multi-actor campaign against HR, payroll, and internal portals

Multiple actor clusters targeted an outsourcing firm’s kiosk, HR, and payroll surfaces simultaneously. Unit6 treated it as one campaign, closing credential abuse and hardening exposed services quickly.

IT services / systems integratorMiddle East

Catching a helpdesk brute-force compromise before it became a company-wide breach

A regional IT services provider exposed its ServiceDesk login without rate limits. Unit6 spotted the shift from brute-force to successful use, shut it down, and rebuilt access controls.

Satellite communicationsGlobal

Catching a nation-state’s brute-force campaign against a global satellite operator

A Chinese-directed cluster brute-forced internal support portals for a satellite operator and took over accounts. Unit6 surfaced the compromise and rebuilt authentication before operations were touched.

Fintech / payments processingGlobal

Detecting AI-powered brute forcing against a fintech customer portal

AI-augmented actors brute-forced and sprayed a payments portal, taking over customer accounts. Unit6 cut off access, drove mandatory MFA, and hardened defenses against adaptive attacks.

Aerospace & aviation communicationsGlobal

Early warning on initial access broker claims against aviation messaging systems

Unit6 spotted a broker selling access to an aviation messaging platform before abuse began. Accounts and endpoints were hardened and a rapid-response plan put in place.

High-precision manufacturing / medtech & opticsEurope & Global

Disrupting state-sponsored recon and credential exposure against a high-precision manufacturer

State-linked actors targeted engineers and admin portals at a medtech/optics manufacturer. Unit6 neutralized exposed credentials and hardened privileged access before exploitation.

Enterprise software / communicationsGlobal

Dual nation-state intrusion into a critical file transfer system — detected before impact

Two unrelated nation-state actors exploited the same secure file transfer stack simultaneously. Unit6 surfaced both compromises and stopped large-scale exfiltration before internal teams saw anomalies.

SaaS / business intelligence platformGlobal

Supply-chain ransomware campaign leveraging a compromised SaaS administrator — multi-tenant threat stopped early

A ransomware group weaponized trusted admin pathways inside a business intelligence SaaS. Unit6 saw the compromise, coordinated fast revocation, and blocked cross-customer propagation.