China-Linked Hackers Exploit Ivanti Zero-Days to Strike France’s Critical Infrastructure

Introduction

In 2024, France’s critical infrastructure faced a serious cyber assault leveraging three zero-day vulnerabilities in Ivanti Cloud Services Appliance devices. This coordinated attack affected multiple sectors including government, telecommunications, media, finance, and transportation. The French cybersecurity agency’s recent report reveals that these intrusions were carried out by a China-linked threat actor, highlighting ongoing risks from state-sponsored hacking groups targeting vital systems worldwide. Understanding how these vulnerabilities were exploited and the broader implications for cybersecurity is crucial for organizations aiming to defend against sophisticated attacks.

Widespread Impact of Ivanti Zero-Day Exploits in France

Between September and November 2024, France suffered an extensive cyberattack campaign that exploited three distinct zero-day vulnerabilities—CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380—in Ivanti Cloud Services Appliances. The affected targets ranged from government agencies to key industries like telecommunications, media, finance, and transportation, revealing a broad and impactful strike on critical infrastructure. The French National Agency for the Security of Information Systems (ANSSI) attributed the attack to UNC5174, a group previously linked to Chinese hacktivist networks and believed to operate under the influence of China’s Ministry of State Security.

This attacker, known by the alias “Uteus,” has a history of exploiting vulnerabilities in various edge devices including ConnectWise ScreenConnect, F5 BIG-IP, and Zyxel firewalls, signaling a sophisticated and persistent adversary. The French authorities identified a unique intrusion toolkit dubbed “Houken,” which combined zero-day exploits with advanced rootkits, open-source tools, commercial VPNs, and dedicated servers to maintain stealthy, persistent access. This toolkit allowed UNC5174 not only to infiltrate networks but also to steal credentials and sell access, indicating a dual motive of espionage and profit.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed this chain of Ivanti zero-day vulnerabilities was exploited to gain initial network access, execute remote code, harvest credentials, and deploy webshells for ongoing control. Researchers have observed UNC5174 blending their tactics with common cybercriminal tools to evade detection, increasing the threat’s complexity. Ivanti, the software provider, has faced criticism for shipping multiple products with a high volume of vulnerabilities over recent years, making it a frequent target for attackers.

CISA’s catalog of known exploited vulnerabilities lists 30 Ivanti flaws over the last four years, with seven exploited just in 2024 alone. Despite the ongoing risks, Ivanti has yet to provide a public response regarding the recent French report, leaving many questions about the company’s security posture and remediation efforts.

What Undercode Say:

The incident in France serves as a stark reminder of the evolving cyber threat landscape and the increasing sophistication of state-linked hacking groups. UNC5174’s ability to leverage zero-day vulnerabilities across multiple critical sectors demonstrates a high level of operational capability and resource investment. The attacker’s focus on Ivanti devices also shines a light on the challenges posed by third-party software vulnerabilities in national security contexts.

Ivanti’s track record of producing software with numerous exploitable flaws suggests systemic issues in their development lifecycle and vulnerability management. This pattern of repeated exposure not only endangers their customers but also provides a lucrative opportunity for attackers seeking entry points into high-value networks. Organizations relying on Ivanti products must urgently reassess their risk profiles, implement stringent monitoring, and apply patches or mitigations as quickly as possible.

The use of open-source offensive security tools and commercial VPNs by UNC5174 illustrates how threat actors blend sophisticated tactics with accessible resources to complicate attribution and detection. This hybrid approach can lull defenders into underestimating the threat or misclassifying it as routine cybercrime, allowing prolonged access and data exfiltration.

Moreover, the French report’s indication that UNC5174 operates as an initial access broker highlights an often-overlooked aspect of modern cyber espionage. Instead of directly exploiting the intelligence themselves, such groups may sell or lease access to other state actors, expanding the reach and impact of a single intrusion. This market-like behavior in cyber threats requires governments and corporations to rethink defense strategies, focusing not only on vulnerability patching but also on early detection of credential theft and lateral movement within networks.

In conclusion, this attack underscores the importance of international cooperation in cybersecurity, enhanced transparency from software vendors, and increased investment in proactive defenses. As attackers grow more creative and resourceful, defenders must evolve their tactics and technologies to protect critical infrastructure and national interests effectively.

🔍 Fact Checker Results

UNC5174 is confirmed linked to China’s Ministry of State Security ✅
The Ivanti zero-days were actively exploited in France during 2024 ✅
Ivanti has a history of vulnerabilities but no official comment was made on this attack ❌

📊 Prediction

Given the persistent targeting of Ivanti products and the demonstrated effectiveness of UNC5174’s tactics, similar attacks exploiting zero-days in third-party infrastructure software will likely increase. Organizations globally, especially in critical sectors, must expect more advanced persistent threats using multi-stage exploit chains and zero-days. Software vendors like Ivanti will face growing pressure to improve security practices or risk becoming repeated attack vectors. Furthermore, the market for initial access brokers will expand, making early threat intelligence and rapid incident response crucial for cyber defense in the coming years.