Global Tech Manufacturer Neutralizes APT Attack with Zero Downtime

When attackers accessed the client’s 10K+ endpoint environment as part of the TiltedTemple campaign, Unit 42® uncovered the impact and secured the enterprise.


Unit 42 enabled the client to continue to operate securely after being targeted by an APT


Successful campaign attribution to TiltedTemple for the attack


Determined scope of impact and secured the environment

The Client

Global technology manufacturer

The Challenge

Law enforcement saw network traffic leaving the client environment that matched indicators for a known APT that was capable of being very stealthy, requiring a unique and thorough investigation. Unit 42 ensured the client experienced zero downtime during an active APT investigation. Our incident response experts were asked to:

  • Contain and eradicate the threat actor and prevent lateral movement beyond initial impact.
  • Identify the root cause and gauge the extent of the attack.
  • Enhance security controls to mitigate further damage.

Unit 42’s Rigorous Incident Response Approach for Superior Outcomes


Given the nature of the threat actor, Unit 42 knew a thorough assessment was necessary, not just of the impacted environment, but also of the adjacent environments and the broader network.


To ensure the threat actor was not hiding in plain sight, extensive threat hunting began, immediately looking for persistent access, lateral movement and data exfiltration.


24/7 threat hunting and proactive monitoring setup enabled complete visibility of activity on the network and all endpoints.


Threat actor access was confirmed to be removed, backdoors closed, with Unit 42 able to inform the client on the totality of the impact.


Identified and closed security-related visibility gaps between the parent company and impacted organization.

"Unit 42 provided the knowledge and skills in a timely manner to help the incident response team and top management feel confident that the risks associated with an active threat actor had been mitigated."


First trigger point






Scroll right

Resolution Timeline






Days 0 - 1
Crisis Intervention

Assessed the breadth and severity of the incident, identified indicators of compromise (IoCs) and determined threat actor attribution.

Conducted a forensic investigation of known impacted systems to understand all unauthorized activity and search for IoCs throughout the enterprise environment.

Utilized existing tools for rapid visibility and identified gaps.

Days 2 - 5

Using Unit 42 Threat Intelligence and IoCs, the threat actor was identified as a Chinese APT under the TiltedTemple campaign.

Continued threat hunting for known IoCs and identified new TTPs.

Deployed Cortex XDR® to systems with identified gaps in coverage to expand visibility.

Isolated identified threats and monitor for persistence activity and data exposures.

Days 6 - 10

Performed broader threat hunting across the enterprise environment to identify presently unknown threat actor activity.

Performed frequency and anomaly analysis using Cortex Xpanse® to identify potentially malicious activity.

Confirmed threat actor was evicted and threat was eradicated, and provided client details on the incident's impact.

Identified gaps and advised on how to effectively harden vulnerabilities to improve client’s security posture.

Last trigger point

Threat-informed Incident Response

With Unit 42 Incident Response, stay ahead of threats and out of the news. Investigate, contain and recover from incidents faster and emerge stronger than ever before, backed by the full power of the world’s leading cybersecurity company. Contact us to gain peace of mind.

Backed by Industry’s Best

  • Threat Intel logo icon
    Threat Intel

    Extensive telemetry and intelligence for accelerated investigation and remediation.

  • Technology icon

    Palo Alto Networks platform for in-depth visibility to find, contain and eliminate threats faster, with limited disruption.

  • Experience symbol

    Trusted experts who mobilize quickly and act decisively in over 1K incidents per year.