Chinese-linked hackers target French state in Ivanti exploit campaign

A sophisticated cyber campaign linked to Chinese threat actors has targeted French government, defence and media organisations by exploiting zero-day vulnerabilities in Ivanti’s server software, France’s national cyber agency has revealed.

The French National Agency for Information Systems Security (ANSSI) reported that attackers exploited flaws in an end-of-life version of Ivanti’s Cloud Services Appliance. Victims include public agencies, telecoms, finance firms and media outlets. ANSSI dubbed the threat ‘Houken.’

Hackers used tools developed by Chinese-speaking actors, operated during Chinese working hours and pursued both espionage and financial gain. In one case, they deployed a cryptominer—an unusual move for state-linked actors.

The campaign that targeted France relied on chaining Ivanti zero-days (CVE-2024-8190, CVE-2024-9380 and CVE-2024-8963) to deploy a novel rootkit. Attackers then used webshells, fileless backdoors, and anonymising services like NordVPN.

ANSSI noted similarities to activity by UNC5174, a Chinese initial access broker tracked by Mandiant. This actor, also known as ‘Uteus,’ reportedly works with the Ministry of State Security in China.

Evidence suggests that Houken not only sells access to compromised networks but also carries out direct data exfiltration. One victim included the foreign ministry of a South American country.

The Paris Prosecutor’s Office is investigating a possible botnet linked to Chinese state hackers, though it’s unclear if it’s connected to Houken.

ANSSI warns that both Houken and UNC5174 are still active and likely to continue exploiting exposed infrastructure worldwide.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!