Chinese State Hackers Exploit Ivanti Zero-Day Flaws to Breach French Organizations: What You Need to Know

If you manage IT security or simply care about the safety of your organization’s digital world, the latest wave of cyberattacks out of France is a wake-up call you can’t afford to snooze. In a campaign that sounds like it leapt out of a cyber-thriller, Chinese state-linked hackers have been systematically exploiting zero-day vulnerabilities in Ivanti devices to breach major French institutions—including those in government, telecom, media, finance, and transport.

But what exactly happened? Who is responsible, and how did they pull off these attacks? Most importantly, what can you learn—and do—to keep your organization safe?

Let’s cut through the jargon, unpack the timeline, and draw out practical lessons from this high-stakes game of digital espionage.

Unveiling the Houken Intrusion Set: Who’s Behind the Attacks on France?

Imagine a group of cyber operatives with the skills to unearth new, unknown software flaws—so-called “zero-days”—and the boldness to use them against critical infrastructure across a nation. That’s the picture painted by France’s national cybersecurity agency, ANSSI, in their July 2025 report on the “Houken” intrusion set.

The Suspected Culprit: China’s Ministry of State Security

ANSSI’s Computer Emergency Response Team (CERT-FR) links Houken to UNC5174, a threat actor previously spotlighted by Google’s Threat Intelligence Group (source). UNC5174 is widely believed to be an “initial access broker” working with or for China’s Ministry of State Security (MSS).

Let’s break that down: – Initial Access Broker: A cybercriminal group that specializes in breaking into organizations, then selling that access to others—often nation-states—interested in intelligence or further attacks. – Chinese Attribution: Key forensic markers, such as time zones (UTC+8, matching China Standard Time), language clues in code, and attack patterns, all point to a Chinese state nexus.

Here’s why that matters: It elevates these attacks from criminal mischief to international cyber-espionage, making them part of a global geopolitical struggle.

Timeline of the Campaign: From Discovery to Disclosure

When Did the Attacks Start?

Although ANSSI first detected the campaign in September 2024, forensic evidence suggests the hackers may have been active as early as 2023—making these stealthy breaches all the more alarming.

Key Milestones

September 2024: Repeated exploitations of Ivanti Cloud Service Appliance (CSA) zero-days begin.
September–November 2024: Attackers maintain access, move laterally, and deploy advanced malware across French organizations.
September 10, September 15 & October 8, 2024: Ivanti issues patches for CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380.
November 2024: Attacks continue at least through this time.
July 1, 2025: ANSSI publishes its comprehensive report (CERT-FR Source).

How Did the Hackers Breach Ivanti Devices? (Here’s the Attack Chain)

The attackers’ playbook combined both sophistication and, at times, surprising sloppiness. Let me walk you through their tactics—because understanding “how” is the first step to defending against “what’s next.”

Step 1: Chaining Ivanti Zero-Day Vulnerabilities

The attackers exploited three “zero-day” vulnerabilities—flaws that were unknown and unpatched when they struck. These are now identified as: – CVE-2024-8190 – CVE-2024-8963 – CVE-2024-9380

By chaining these exploits, they could: – Remotely execute code on vulnerable Ivanti CSA devices. – Capture login credentials using a base64-encoded Python script. – Install persistent malware (webshells and rootkits) for ongoing control.

Step 2: Establishing Persistence

Once inside, the attackers made sure they’d stick around: – Webshells: Small scripts inserted into existing PHP files, letting hackers send commands as if they were local admins. – Rootkit: A malicious kernel module (invisible to most security tools) for deep, stealthy control.

Step 3: Covering Their Tracks—and Blocking Rivals

In an intriguing twist, the attackers sometimes “self-patched” the vulnerable web resources after breaching them. This means they fixed the vulnerabilities themselves, likely to keep out other would-be hackers.

Step 4: Lateral Movement and Reconnaissance

With initial access secured, the attackers scouted the internal network and, in at least three cases, moved deeper into victims’ systems—hunting for sensitive data or further footholds.

The Houken Toolset: A Mix of Off-the-Shelf and Custom Arsenal

What’s fascinating (and worrying) is the mix of tools the Houken group used. Their kit included both generic, “off-the-shelf” open-source code and bespoke, hand-crafted malware.

Key Components of the Houken Arsenal

Open-source webshells (like Neo-reGeorg), often created by Chinese-speaking developers.
Handcrafted PHP webshells for stealthier persistence.
Linux kernel module rootkits for deep system compromise.
User-space binaries to help evade detection.

Attack Infrastructure: Obfuscation and Reach

Houken’s infrastructure was global and layered: – Commercial VPNs: ExpressVPN, NordVPN, Proton VPN, Surfshark – Dedicated VPS hosts: HOSTHATCH, ColoCrossing, JVPS.hosting – Major ISPs: Including Comcast, China Unicom, China Telecom, Airtel

This wide infrastructure made it harder for defenders to trace attacks back to a single location—classic tradecraft for high-end threat actors.

Tactics, Techniques, and Procedures (TTPs): Sophistication Meets “Noisy” Moves

You might expect elite spies to be invisible, but Houken showed both advanced skills and surprising lapses.

Signs of High-Level Sophistication

Zero-day exploitation: Discovering and weaponizing unknown flaws is the hallmark of a well-resourced adversary.
Rootkit deployment: Manipulating the Linux kernel is no amateur feat.
Multi-layered infrastructure: Using commercial VPNs and diverse servers for obfuscation.

Signs of Sloppiness or Limited Resources

Noisy operations: Some actions, like large-scale scans, were easily detectable by vigilant defenders.
Generic tool usage: Reliance on publicly available tools, rather than all-custom malware, hints at resource constraints—or at least a desire for speed over stealth.

Why This Matters: Multi-Actor or Modular Attack Groups

Analysts like HarfangLab point out that this blend of skills and sloppiness could mean multiple teams or actors are collaborating—some breaking in, some developing tools, others buying access.

Who (and What) Was Targeted? Not Just France

While this campaign zeroed in on French organizations, the Houken group’s reach goes much further.

Primary Targets in France

Governmental agencies
Telecommunications firms
Media outlets
Financial institutions
Transport sector operators

Wider Targeting Patterns

According to ANSSI and other researchers, Houken’s fingerprints have also been found: – Near China: Especially in Southeast Asia (Thailand, Vietnam, Indonesia) and among government and education sectors. – NGOs: Both inside China (including Hong Kong, Macao) and internationally. – Western Nations: Government, defense, education, media, and telecom organizations.

This isn’t a campaign for financial gain; it’s about strategic intelligence, data theft, and potentially preparing for future influence operations.

How Did France Respond? ANSSI’s Role in Defense and Recovery

France’s ANSSI didn’t just “discover” the attack—they rolled up their sleeves and actively helped organizations respond. According to their July 2025 report:

They assisted victims with forensic analysis: tracing how attackers got in, what they did, and what was taken.
They coordinated patching and remediation: guiding organizations through urgent updates and cleanup.
They shared intelligence with partners**: ensuring the broader cybersecurity community could learn from what happened.

Here’s why that’s crucial: Fast, coordinated responses by national agencies can stop a breach from turning into a crisis—and help others avoid the same fate.

Lessons for Security Leaders: What Can You Learn and Do Now?

Reading about high-profile hacks can feel scary, but there are practical lessons every IT and security leader can take from this story.

1. Patch Early, Patch Often

Zero-day exploits thrive on unpatched systems. As soon as security updates become available, prioritize them, especially for Internet-facing devices like VPNs and network appliances.
Ivanti’s security advisories are a good place to monitor for the latest vulnerabilities.

2. Monitor for Unusual or “Noisy” Behavior

Set up robust network monitoring to spot unexpected VPN logins, lateral movement, or webshell activity.
“Noisy” attacks are often overlooked amid the daily logs—don’t ignore odd patterns.

3. Assume Breach, Then Hunt

Consider running compromise assessments: proactively searching for signs of webshells, rootkits, or other anomalies, even if you haven’t spotted active attacks.
Tools like YARA or commercial EDR platforms can help.

4. Review Your External Attack Surface

Regularly audit exposed assets (VPNs, web servers, remote access devices) and restrict unnecessary external access.
Use external scanning tools to see what attackers see about your organization.

5. Collaborate with National and Sectoral CSIRTs

If you’re in France, contact ANSSI for guidance. Other countries have equivalent Computer Security Incident Response Teams (CSIRTs).
Share threat intelligence with peers—cyber defense is a team sport.

Why Are Zero-Day Exploits So Dangerous?

Let’s take a moment to unpack why these particular attacks have security experts on high alert.

Zero-day means defenders have “zero days” to react before attackers strike.
These vulnerabilities are unknown to the vendor, so traditional defenses (patches, antivirus) aren’t effective until after the exploit becomes public.
Advanced attackers often hoard zero-days for months or years, using them sparingly for high-value targets.

In short, if your organization relies on “patch and forget,” you’re vulnerable to exactly these kinds of threats. Continuous monitoring and a proactive mindset are critical.

The Geopolitical Stakes: Cybersecurity in an Era of Espionage

This isn’t just a French problem or a technical curiosity. State-linked cyberattacks like the Houken campaign are reshaping how nations think about sovereignty and security.

Critical infrastructure—energy, communications, finance—is now a frontline in global competition.
Cyber-espionage is used to steal secrets, influence politics, and prepare the ground for future actions.
Attribution is complex: While evidence points to China, final proof is always a contentious issue in the cyber world.

For organizations, this means thinking beyond compliance or “checkbox security.” It’s about understanding your risk in a rapidly changing geopolitical environment—and investing accordingly.

Frequently Asked Questions (FAQ)

Who are the Houken hackers, and why are they targeting France?

The Houken group, linked by France’s ANSSI and Google’s Threat Intelligence Group to China’s Ministry of State Security, operates as an “initial access broker.” They break into high-value targets—like French government and industry—then sell or pass on that access to state actors interested in espionage.

How were the Ivanti zero-day vulnerabilities exploited?

Attackers combined three zero-day flaws in Ivanti Cloud Service Appliance to gain remote code execution, steal credentials, and install persistent malware like webshells and rootkits. The vulnerabilities were patched in September and October 2024, but not before significant breaches occurred.

What sectors were most affected by the Houken attacks?

The campaign hit French governmental, telecommunications, media, finance, and transport sectors. Beyond France, similar tactics have been used against targets in Southeast Asia, NGOs, and Western governments.

What can organizations do to defend against these kinds of attacks?

Patch systems promptly—especially Internet-facing devices.
Monitor networks for unusual activity and potential webshell use.
Hunt for evidence of compromise, even without obvious signs.
Collaborate with national cybersecurity agencies and peers for shared intelligence.

Could this happen elsewhere?

Absolutely. The tactics used by Houken are not limited to France or Ivanti devices. Any organization with unpatched, exposed systems could be at risk, especially those in critical sectors or with valuable data.

Where can I learn more about these incidents?

Key Takeaways: Stay Informed, Stay Proactive

The Houken campaign is a stark reminder that cyber threats are constantly evolving—and that even well-defended organizations can fall victim to sophisticated, persistent actors. But here’s the good news: By learning from these incidents, staying vigilant for new vulnerabilities, and fostering strong partnerships with cybersecurity agencies, you can dramatically reduce your risks.

Stay curious, stay prepared, and keep exploring—because in cybersecurity, knowledge truly is your best defense.

Want more insights like this? Subscribe for the latest updates, expert guides, and actionable security tips. Your digital world is worth protecting.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring!

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!