Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime
French Government Entities Targeted by Hackers, Reports ANSSI
A sophisticated hacking campaign attributed to Chinese threat actors has exploited multiple zero-day vulnerabilities in Ivanti server software to penetrate various French government institutions, as confirmed by the French National Agency for Information Systems Security (ANSSI). The campaign, linked to the intrusion set dubbed “Houken,” targeted government entities, defense, telecom, media, finance, and transportation sectors.
ANSSI reported that numerous French organizations were compromised using various security flaws that affected an outdated version of Ivanti’s Cloud Services Appliance. This multifaceted attack exhibited extensive planning and execution, suggesting an organized approach from a state-sponsored group.
According to ANSSI, the attackers employed a wide array of open-source tools predominantly developed by Chinese-speaking programmers. Their operations aligned with Chinese working hours and demonstrated behaviors typical of intelligence collection. Notably, the threat actors also sought financial gain by deploying a cryptominer on at least one compromised system—a rarity for such groups.
In terms of the tactics and techniques utilized, the attack aligns with several of the MITRE ATT&CK framework’s adversary tactics. The campaign began with the exploitation of two Ivanti zero-days, CVE-2024-8190 and CVE-2024-9380, alongside CVE-2024-8963, to implant a novel variant of a rootkit into the target environment. Following initial access, the threat group relied on persistence techniques, utilizing fileless backdoors such as VShell and Goreverse, indicating a sophisticated understanding of maintaining covert access.
The Houken operator’s activities bear similarities to a Chinese threat actor identified as UNC5174. This actor is thought to be linked to China’s Ministry of State Security, with past behavioral patterns indicating the sale of network access to other Beijing-affiliated hackers. Alongside exploiting vulnerabilities, ANSSI revealed that this group had also exfiltrated a large volume of emails from the Ministry of Foreign Affairs of an unnamed South American nation—further illustrating the far-reaching implications of their operations.
To conceal their activities, the attackers utilized anonymization services and proxy networks, employing residential and mobile IP addresses as part of their stealthy approach. Notably, the Paris Public Prosecutor’s Office has launched an investigation into a “network of machine zombies” possibly connected to these state-sponsored groups, yet the exact relationships remain unclear.
As the threat landscape continues to evolve, researchers at ANSSI have warned that both the Houken and UNC5174 operators remain active. The potential for future campaigns targeting internet-facing systems—such as endpoint managers and VPN appliances—through opportunistic exploitations indicates a persistent threat to organizations globally. The implications of these findings underscore the urgent need for businesses to prioritize cybersecurity measures in an increasingly hostile digital environment.
