The French National Agency for the Security of Information Systems (ANSSI) has issued a detailed report that reveals how a Chinese-linked hacking group exploited zero-day flaws in Ivanti Cloud Services Appliance (CSA) devices. The campaign affected multiple critical sectors in France, including government, telecom, media, finance and transport organizations
What Happened
ANSSI says the attack began in early September 2024. Hackers chained three previously unknown Ivanti vulnerabilities—CVE‑2024‑8190, CVE‑2024‑8963 and CVE‑2024‑9380—to break into Ivanti CSA devices.These were true zero-days at the time—unknown to Ivanti or the public.
The attackers first gained initial access and then established persistence. They used web shells, modified PHP scripts, and even installed a kernel‑mode rootkit on victim systems. That rootkit was packed as a module called sysinitd.ko, and came with a user executable and installer script. It hijacked inbound TCP traffic and let them run commands as root.
They also deployed tools such as Behinder and neo‑reGeorg. Later they used malware like GOREVERSE and a Golang tunneling tool called GOHEAVY. That helped them move laterally and stay hidden.
Who’s Behind It
ANSSI calls the attacker group “Houken.” The group shares many traits with another threat group tracked by Mandiant under UNC5174 (also called Uteus). Both groups use zero-days, rootkits, and Chinese open‑source tools. Both use commercial VPNs and dedicated servers as infrastructure.
ANSSI suspects Houken has acted as an initial access broker since 2023. That means it can break into networks and then resell access to other actors. Some buyers may be state-affiliated, others are financially motivated.
In one case, ANSSI observed email exfiltration from a ministry of foreign affairs in South America. In another case, the attackers installed cryptocurrency mining software. These show both espionage and profit interests.
Scope and Targets
ANSSI confirmed the campaign impacted French government agencies, telecom firms, media companies, financial institutions and transport operators. Every sector was touched.
But the operation was not limited to France. ANSSI saw similar hack attempts in Southeast Asia universities and governments. NGOs in mainland China, Hong Kong and Macau were also targeted. And Western telecom, defense or education institutions may be at risk too.
Technical Tactics
The attackers chained three zero‑day flaws in Ivanti CSA. They deployed PHP web shells directly, injected web‑shell code into existing scripts, and installed a kernel rootkit. That gave high privileges and remote access.
They also used open‑source tools made by Chinese‑speaking developers. Examples include Behinder for web shells and neo‑reGeorg for tunneling. After moving laterally, they deployed GOREVERSE and GOHEAVY.
The rootkit sysinitd.ko was central. It hijacked TCP traffic and let attackers run arbitrary root commands. ANSSI says the attacker ran a script named install.sh to load the module and user‑space helper.
Attack infrastructure included NordVPN or ExpressVPN, dedicated VPS servers, and even residential or mobile IP proxies. They hid activity and reused IPs to remain hidden.
A Strange Move: Self‑Patching
One unusual tactic: after gaining access, the attackers patched the Ivanti vulnerabilities they exploited. That blocked other groups from entering the same systems. ANSSI says this move hints at competition among cyber threat actors.
Security experts say this self-patching tactic is increasing among advanced threat actors. It helps them keep control longer.
Attribution and Connections
The overlap between Houken and UNC5174 is strong. Both use similar tools. Both exhibit similar timing aligned with China Standard Time (UTC+8). That points to a likely shared operator or group.
ANSSI says the group behind both intrusion sets “might correspond to a private entity, selling accesses and worthwhile data to several state‑linked bodies while seeking its own interests leading lucrative oriented operations.”([therecord.media][3])
Some analysts link UNC5174 to China’s Ministry of State Security via contracting networks. UNC5174 has exploited flaws in SAP NetWeaver, F5 BIG-IP, Palo Alto Networks and more.
Why It Matters
This incident matters on several levels. First, zero‑day flaws still pose major risks. Even large agencies can be breached if patches aren’t in place. Here, attackers chained three of them. That shows how dangerous unpatched ICS appliances can be.
Second, the campaign shows how initial access brokers operate. They break in once, then sell that access to others. That multiplies risk across sectors and geographies.
Third, this attack mixes espionage and profit. Some targets are state or intelligence related. Others get crypto miners. That mix signals flexible motivations.
Fourth, the self‑patching trick reveals an evolving threat market. Attacks are competitive. Groups fight to hold onto access longer.
Finally, targets include critical national systems. Government, telecom, transport and media all handle sensitive data. A breach in one can have wide impact.
What ANSSI Recommends
ANSSI urges French organizations to update Ivanti CSA to version 5.0 or later. This version isn’t vulnerable to the three flaws.
They also recommend enhanced detection of rootkits. Look for hidden kernel modules and suspicious TCP hijacks. Monitor lateral movement and abnormal remote execution.
Invest in behavioral threat detection. Openensic investigations after incidents. And rapid patching policies for internet‑facing systems.
ANSSI also suggests international cooperation. Since several countries have had or may have similar attacks, sharing intelligence helps defense.
Broader Context
This campaign echoes past Ivanti incidents. In April 2021, suspected Chinese actors used Pulse Connect Secure zero-days to breach government and financial institutions across North America and Europe.
Ivanti has had repeatedly high numbers of vulnerabilities across its products. CISA’s catalog shows more than 30 Ivanti flaws in the past four years.
Threat groups like UNC5174 have made initial access brokering into a practice. They often exploit edge device flaws to gain persistent network access. Then they sell it. And sometimes they carry out more espionage or profit-driven activity themselves.
In ANSSI’s view, the Houken/UNC5174 blend shows a hybrid model. It mixes contract-based infiltration for state buyers with independent criminal activity.
What Other Experts Say
Security researchers note the sophistication of the campaign. The rootkit usage, chaining of zero‑days, and self‑patching all point to a top‑tier group. The use of open‑source tools masks activity in plain sight.([cyberscoop.com][6], [govinfosecurity.com][8])
Experts also warn: even patched systems remain at risk if lateral movement goes undetected. That’s why detection capabilities are vital.
Security newsletters note this campaign is a wake‑up call for edge device security. Appliances that connect corporate networks to cloud services must be monitored and updated often.
Implications for France and Beyond
France now must ensure those sectors are secure. That includes telecoms, transport companies and media firms. A breach in any of them could lead to widespread disruption.
Other countries should take notice. If French targets were hit, attackers may try the same approach elsewhere. Countries should scan for Ivanti CSA appliances and apply patches.
International organizations—such as telecom standards bodies or EU security groups—might push guidance on appliance patching and threat monitoring.
