Listen to this Post
Introduction: A Sophisticated Espionage Campaign Unveiled
In a high-stakes cybersecurity development, France’s national cybersecurity agency (ANSSI) has exposed a widespread attack targeting some of the country’s most sensitive sectors. This stealth campaign, attributed to a Chinese-affiliated group known as Houken, leveraged multiple zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices. What sets this operation apart is its use of advanced tactics, including rootkits, open-source tools, and a multi-layered exploitation model that points to both espionage and profit-driven motives.
the Original
In September 2024, ANSSI uncovered a malicious campaign that breached various sectors in France, including government, telecommunications, finance, and media. The threat actor, identified as Houken, shares characteristics with a known Chinese-linked group dubbed UNC5174 (also known as Uteus or Uetus), previously tracked by Google’s Mandiant.
Houken utilized a mix of zero-day vulnerabilities in Ivanti CSA (CVE-2024-8963, CVE-2024-9380, CVE-2024-8190) to infiltrate systems. The group’s tactics included deploying PHP web shells, modifying existing scripts to inject malicious code, and installing a kernel-level rootkit named sysinitd.ko, which allows remote execution of commands with root privileges. The campaign also used web shells such as Behinder and neo-reGeorg, alongside the GOREVERSE malware and tunneling tool suo5.
Notably, the attack infrastructure combines open-source tools crafted by Chinese-speaking developers and commercial VPNs, making it harder to detect. Analysts believe Houken functions as an initial access broker, gaining network entry before selling access to other actors—possibly including state-sponsored groups. Evidence shows an organized multi-actor structure: one entity identifies vulnerabilities, another exploits them at scale, and others use the access for further operations.
Recent links between UNC5174 and exploitation of SAP NetWeaver flaws—via malware like GOREVERSE and SNOWLIGHT—underscore the group’s persistent targeting of high-value systems. These hackers have also previously compromised software from Palo Alto Networks, F5, and ConnectWise.
Houken’s operations span globally, with victims in Southeast Asia, Western governments, and NGOs in China. Their campaign includes reconnaissance, time zone-aligned operations in UTC+8 (China Standard Time), and even patching of vulnerabilities to block other hackers.
Adding to the complexity, the campaign included a financial layer: at least one incident saw access used for deploying cryptocurrency miners. This dual motive—espionage and profit—strengthens the hypothesis that Houken is a semi-private actor selling intelligence and services to state-linked clients.
🔍 What Undercode Say:
A Closer Look at the Threat Mechanics
This campaign exemplifies the evolution of cyber threats—from isolated hacking attempts to strategic, layered operations. Houken’s use of zero-day exploits in widely deployed enterprise hardware, such as Ivanti CSA, signifies the growing importance of supply-chain and infrastructure-level security.
The malware stack (GOREVERSE, suo5, sysinitd.ko) employed by the attackers highlights a mature and modular offensive framework. This isn’t script-kiddie behavior—it reflects a professional operation, with detailed recon, tailored payloads, and persistence strategies. The deployment of rootkits also suggests they anticipate forensic analysis and attempt to neutralize it in advance.
Advanced Threat Modeling and Attribution
UNC5174 and Houken likely represent the same or closely affiliated entities. Their repeated use of similar tactics, techniques, and procedures (TTPs)—such as tunneling tools, Chinese-language toolsets, and time zone alignment—points to a shared infrastructure or leadership. Attribution is always complex in cybersecurity, but these patterns are hard to ignore.
Moreover, the use of Ivanti’s zero-days is notable. Ivanti appliances are common in enterprise environments, and attackers targeting them show a strategic interest in gaining long-term, stealthy access to high-value targets—particularly where secure remote access and cloud operations are critical.
Implications for France and Global Security
The sectors hit—finance, telecom, defense, and government—are foundational to national stability. Such breaches don’t just leak data; they open doors for influence, surveillance, and critical infrastructure sabotage. Given that France has a prominent role in the EU, this could also be interpreted as indirect espionage on broader European interests.
The operational theory from HarfangLab that Houken serves as an “initial access broker” adds a new layer. It suggests cybercrime is increasingly “as-a-service,” where threat actors specialize in segments: some discover exploits, others build backdoors, and another group monetizes or weaponizes access. This modular economy of cybercrime parallels developments seen in ransomware-as-a-service ecosystems.
Defensive Posture and Industry Response
Security professionals need to understand that these are not isolated cases. Organizations must implement robust vulnerability management, adopt zero-trust frameworks, and ensure continuous monitoring of root-level behaviors. Endpoint detection and response (EDR) tools, kernel-level logging, and regular threat hunting are essential to uncover stealthy persistence mechanisms like sysinitd.ko.
Patch management also becomes critical. Notably, the attackers patched systems themselves to maintain exclusive access—ironically protecting systems from other hackers. This paradox underlines the need for enterprises to stay ahead of patch cycles, rather than relying on luck or, worse, the ethics of cybercriminals.
✅ Fact Checker Results:
✅ CVE Validation: The Ivanti CVEs (2024-8963, 9380, 8190) have been confirmed and are listed in the NVD database.
✅ Attribution Overlap: Multiple sources, including Google Mandiant and SentinelOne, link UNC5174 and Houken by TTPs and malware artifacts.
❌ No Official State Link Confirmation: While state-affiliation is suspected, there’s no direct proof yet from a national intelligence agency.
🔮 Prediction: Escalation in Initial Access Brokerage 🧠
Cyberattacks driven by initial access brokers will become increasingly common in 2025 and beyond. Rather than traditional APT groups executing full attack chains, we will likely see specialized groups like Houken offering high-value accesses to the highest bidder—be it a state-sponsored unit, a ransomware gang, or even a corporate espionage client.
Expect further zero-day discoveries targeting infrastructure solutions (VPNs, cloud gateways, enterprise appliances), and more intricate malware stacks that combine open-source stealth tools with proprietary rootkits. France’s experience may be a glimpse of what’s ahead for the rest of Europe and beyond.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
