Chinese Hackers Breach French Government and Telecoms Using Ivanti CSA Zero-Days

In a campaign first detected in September 2024, the French cybersecurity agency ANSSI uncovered that a group dubbed Houken, linked to Chinese threat actor UNC5174, exploited three critical zero-day vulnerabilities in Ivanti Cloud Service Appliance (CSA) devices. These flaws-CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380-enabled attackers to remotely execute code, gain credentials, and establish persistent access across French government, telecom, finance, media, and transport sectors.

The attackers chained these vulnerabilities, using base64-encoded Python scripts to extract admin credentials and deploying PHP webshells for ongoing access. In some cases, they installed a custom Linux rootkit, sysinitd.ko, which allowed hijacking of TCP traffic and remote command execution as root.

Sophisticated Tools and Lateral Movement Deepen Impact

Houken’s operations combined advanced rootkits with a wide array of open-source tools, many crafted by Chinese-speaking developers. Their infrastructure leveraged commercial VPNs, anonymization services, and dedicated servers to mask activity and maintain control.

After the initial compromise, the attackers conducted extensive reconnaissance and lateral movement, targeting additional systems such as F5 BIG-IP appliances. In several incidents, they escalated privileges, harvested more credentials, and deployed further persistence mechanisms, posing a significant risk to the integrity of internal networks.

Did you know?
The Houken group not only exploited Ivanti zero-days but also attempted to self-patch compromised systems, locking out other attackers and securing exclusive access for their operations?

Initial Access Brokering and State-Linked Espionage

ANSSI’s analysis suggests Houken operates as an initial access broker, selling network footholds to other state-linked or financially motivated actors. The campaign’s time zone and operational patterns align with China Standard Time, reinforcing attribution to Chinese interests.

The attackers’ activities included not only intelligence gathering but also attempts to monetize access, such as deploying cryptocurrency miners. This dual-purpose approach highlights the evolving nature of state-sponsored cyber operations, blending espionage with financially driven tactics.

ALSO READ | Can Web3 Defenses Keep Pace with North Korea’s Nim Malware and ClickFix Tactics?

French Cybersecurity Response and Ongoing Threats

The vulnerabilities exploited by Houken were patched by Ivanti in September and October 2024, but the campaign persisted through November, with ANSSI providing forensic and remediation support to affected organizations. The agency pointed out that it takes rapid patching, vigilant monitoring, and robust incident response to counter such advanced persistent threats.

The Houken campaign points out the importance of securing edge devices and maintaining up-to-date defenses, as attackers increasingly target infrastructure components to gain initial access and propagate deeper into national networks.