How a Covert Cyber Operation Targeted Critical French Sectors
In September 2024, the French National Agency for the Security of Information Systems (ANSSI) identified a sophisticated cyberattack exploiting zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices. The attackers, attributed to a Chinese threat group operating under the codename Houken, infiltrated multiple sectors, including government, telecommunications, media, finance, and transport.
The campaign was not a lone operation. It echoed the techniques of UNC5174 (also known as Uteus or Uetus), a cluster tracked by Google Mandiant. Both groups have been active in previous campaigns leveraging zero-days, open-source tools, and stealth malware for strategic access.
Zero-Days Turned Weapons: CVE-2024-8963, CVE-2024-9380, CVE-2024-8190
The attackers exploited three Ivanti CSA vulnerabilities—CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190—before they were publicly known. Their goal: gain credentials, establish persistent access, and enable further infiltration. The methods were highly technical but deliberate:
-
Direct deployment of PHP web shells
-
Injection of malicious code into existing PHP scripts
-
Installation of a custom rootkit through kernel modules
Publicly available tools such as Behinder and neo-reGeorg were used to enable lateral movement. Persistence was achieved using malware variants like GOREVERSE, a custom shell utility, and GOHEAVY, a Golang tunneling tool. A kernel module named sysinitd.ko played a key role in maintaining root access. This module, along with a shell installer script (install.sh), hijacked TCP traffic and enabled remote command execution.
A Multi-Layered Threat Model: Initial Access Brokers and State Interests
The sophistication of the attack suggests the involvement of an initial access broker, potentially active since 2023. These actors infiltrate networks and resell access to state-linked or financially motivated groups. HarfangLab described the model succinctly: one party discovers vulnerabilities, a second exploits them, and others buy access to valuable targets.
This strategy isn’t new. UNC5174 has previously exploited SAP NetWeaver and security flaws in Palo Alto Networks, ScreenConnect, and F5 BIG-IP software. The objective? Intelligence gathering and sometimes financial gain, as seen in at least one instance where attackers deployed cryptocurrency miners post-access.
Targeted Sectors and Global Implications
Beyond France, the targeting scope spans a wide geopolitical landscape. ANSSI observed attacks aimed at:
-
Government and education sectors in Southeast Asia
-
NGOs based in mainland China, Hong Kong, and Macau
-
Western media, defense, and telecom institutions
This diverse targeting indicates that while the actors may have state ties, they are not limited by national mandates. The blending of espionage and financial operations highlights the growing sophistication of modern cyber threats.
Patch to Lock Out Rivals: The New Attacker Tactic
One curious detail from the ANSSI report was the attackers’ effort to patch the Ivanti vulnerabilities after gaining access. This move appears aimed at securing their foothold and preventing rival groups from entering the same systems. It’s a revealing tactic that speaks to a competitive cybercriminal ecosystem.
Are Houken and UNC5174 the Same Actor?
The strong overlap in tools, tactics, and targets suggests that Houken and UNC5174 may be operated by the same entity. Still, the full attribution remains inconclusive. However, ANSSI speculates the operators may be private contractors aligned with state objectives but also driven by financial profit—selling access and data to multiple buyers.
How to Protect Your Organization
This campaign underscores the need for rapid patching, deep visibility into lateral movements, and behavioral detection techniques. Organizations must not only rely on traditional security tools but also integrate real-time threat intelligence, rootkit detection, and network traffic analysis.
If your business operates critical systems or manages sensitive data, you should consider advanced cybersecurity services designed to detect, prevent, and respond to zero-day threats. ZENDATA offers tailored solutions to identify malicious persistence, analyze intrusion chains, and fortify your defenses before attackers get in.
Read the full article from The Hacker News here.
