Full Report
French authorities said government agencies and businesses spanning telecom, media, finance and transportation were impacted by the widely exploited Ivanti vulnerabilities. The post China-linked attacker hit France’s critical infrastructure via trio of Ivanti zero-days last year appeared first on CyberScoop.
Analysis Summary
# Incident Report: French Critical Infrastructure Compromise via Ivanti Zero-Days
## Executive Summary
A sophisticated China-linked threat actor, attributed to UNC5174, executed a targeted attack spree against French critical infrastructure between September and November 2024. The attackers leveraged a trio of previously unknown zero-day vulnerabilities (CVE-2024-8190, CVE-2024-8963, CVE-2024-9380) in Ivanti Cloud Service Appliance devices to gain initial access. The operation, dubbed "Houken," targeted sectors including telecommunications, media, finance, and transportation, likely to gather sensitive intelligence for a state-linked entity.
## Incident Details
- **Discovery Date:** Reports surfaced indicating the campaign culminated in late November 2024, with a formal report issued by July 2025.
- **Incident Date:** Early September 2024 to late November 2024.
- **Affected Organization:** Multiple government agencies and businesses across France.
- **Sector:** Critical Infrastructure (Telecommunications, Media, Finance, Transportation).
- **Geography:** France.
## Timeline of Events
### Initial Access
- **Date/Time:** Early September 2024.
- **Vector:** Exploitation of three chained zero-day vulnerabilities in Ivanti Cloud Service Appliance devices (CVE-2024-8190, CVE-2024-8963, CVE-2024-9380).
- **Details:** Attackers used these flaws to achieve initial access and execute remote code.
### Lateral Movement
- **Details:** The intrusion set, "Houken," utilized a sophisticated rootkit, open-source tools (like VShell and WebSockets), and dedicated servers to maintain a foothold and potentially move across victim networks. Attackers deployed mechanisms to achieve persistent access.
### Data Exfiltration/Impact
- **Details:** The likely goal was intelligence gathering, as the threat actor acts as an Initial Access Broker (IAB) selling access to state-linked actors. Specific data compromises were not detailed, but the intent was to steal credentials and gain insightful intelligence.
### Detection & Response
- **Detection:** The attack activity was identified and documented through analysis by French cybersecurity agencies (ANSSI/CERT-FR). CISA previously issued an advisory in January 2025 regarding the Ivanti chain.
- **Response Actions:** Response actions are not explicitly detailed but would involve remediation of exploited Ivanti devices and remediation of the established persistence mechanisms.
## Attack Methodology
- **Initial Access:** Exploitation of Ivanti zero-days (CVE-2024-8190, CVE-2024-8963, CVE-2024-9380).
- **Persistence:** Deployment of mechanisms, including a sophisticated rootkit, for enduring access.
- **Privilege Escalation:** Not explicitly detailed, but likely achieved post-exploitation on the Ivanti appliance to facilitate further network movement.
- **Defense Evasion:** Use of custom intrusion set ("Houken") and blending in by using open-source offensive security tools (e.g., VShell, WebSockets).
- **Credential Access:** Mentioned as a capability of the actor group (UNC5174).
- **Discovery:** Use of dedicated servers and tools as part of the Houken intrusion set.
- **Lateral Movement:** Implied through the goal of achieving persistent access to the network core.
- **Collection:** Focused on gathering "insightful intelligence."
- **Exfiltration:** Implied mechanism to deliver collected data to the state-linked actor paying for initial access.
- **Impact:** Intelligence theft targeting critical national infrastructure sectors.
## Impact Assessment
- **Financial:** Not specified, but likely significant due to the scope and complexity of the compromise across multiple sectors.
- **Data Breach:** Data was gathered for intelligence purposes, impacting critical infrastructure entities.
- **Operational:** Significant operational risk due to the compromise of critical sectors (telecom, finance, transport).
- **Reputational:** Damage to the national confidence regarding the security of critical infrastructure systems.
## Indicators of Compromise
- **Network indicators:** Use of commercial VPNs and dedicated servers (Specific IPs/Domains defanged).
- **File indicators:** Sophisticated rootkit components (Specific hashes/names unknown).
- **Behavioral indicators:** Chaining of three specific Ivanti zero-days; deploying webshells post-exploitation; use of tools associated with UNC5174/Houken intrusions.
## Response Actions
- **Containment:** Remediation/patching of all exploited Ivanti Cloud Service Appliances.
- **Eradication:** Removal of the custom rootkit and any deployed webshells or backdoors associated with the Houken intrusion set.
- **Recovery:** Restoration of compromised systems and verification of security posture across affected critical infrastructure.
## Lessons Learned
- **Key takeaways:** Even established initial access brokers (like UNC5174) are moving to exploit zero-day vulnerabilities rather than relying solely on known flaws, indicating increased sophistication. Edge devices (like Ivanti appliances) remain high-value targets.
- **What could have been done better:** Proactive threat hunting specifically tailored for known attacker associations (like UNC5174) or immediate patching related to known vulnerable Ivanti devices should have been prioritized following initial CVE disclosures.
## Recommendations
- **Prevention measures for similar incidents:** Enhance comprehensive vulnerability management programs for all network edge devices. Implement strict segmentation and zero-trust principles to limit lateral movement should initial access succeed via an appliance vulnerability. Increase monitoring capabilities specifically targeting anomalous activity originating from web interfaces of perimeter devices.