top of page

French Government Caught in Crosshairs of Sophisticated Ivanti Exploit Campaign

In a stark warning that blends espionage, profit-driven cybercrime, and software supply chain failures, France’s top cybersecurity agency has confirmed that a string of government and critical infrastructure entities were compromised during a 2023 hacking campaign targeting Ivanti’s Cloud Service Appliance (CSA).


The agency, ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information), disclosed that the attackers exploited multiple zero-day vulnerabilities — CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380 — to infiltrate organizations spanning France’s governmental, media, transport, and financial sectors. The campaign, which now goes by the codename Houken, is believed to be tied to the same threat group tracked by Mandiant as UNC5174.


But this wasn’t just a one-off smash-and-grab. According to ANSSI’s detailed analysis, Houken operated more like a cyber mercenary group than a nation-state APT, brokering access to compromised systems and selectively exfiltrating data — possibly at the request of paying intelligence clients.


“The threat actor might correspond to a private entity, selling accesses and worthwhile data to several state-linked bodies while seeking its own interests leading lucrative oriented operations,” ANSSI reported.

That model is disturbingly familiar. The Houken playbook echoes behavior previously attributed to Chinese-affiliated APT41 — a group notorious for its dual-track operations serving both national espionage objectives and financially motivated campaigns. It’s a blueprint that creates distance between state sponsors and cyber activity, a tactic analysts say gives regimes like Beijing plausible deniability while still benefiting from stolen data and cyber access.


The U.S. government has previously raised alarms about this growing ecosystem of state-aligned contractors. In early 2025, American prosecutors indicted multiple individuals for selling stolen data to Chinese intelligence agencies while simultaneously monetizing the same breaches for personal gain — a criminal-commercial hybrid that’s quickly becoming the status quo in advanced threat operations.


ANSSI’s report suggests Houken follows a similar model. In one instance, attackers exfiltrated massive troves of email from a South American foreign ministry using scripts lifted from a Chinese-language blog. Whether the target was chosen for strategic espionage or because a paying customer ordered it remains unclear.


Garrett Calpouzos, Principal Security Researcher at Sonatype, says the Houken campaign is a glaring example of how threat actors are not just evolving — they’re optimizing.


“This incident is another stark reminder of how critical it is to secure any internet-facing systems, especially when remote code execution (RCE) vulnerabilities are involved,” Calpouzos said.“What’s particularly interesting in this case is that the attackers patched the very vulnerabilities they exploited — a tactic we’re seeing more frequently among advanced threat actors. By doing this, they prevented other threat groups from accessing the same system, ensuring their own activity remained undetected.”

In other words, these hackers weren’t just infiltrating systems — they were fortifying their own beachheads to lock out rivals and reduce the chance of discovery.


Houken’s operational footprint also points to a wide-ranging coalition or tool-sharing network. ANSSI noted evidence of both elite capabilities — such as the use of a kernel-mode rootkit — alongside clumsy, low-opsec tactics like the deployment of noisy open-source scripts. This blend of tradecraft supports what cybersecurity firm Harfang Lab has called a “multiparty approach,” where multiple actors work toward overlapping objectives under a shared infrastructure umbrella.


“Campaigns like this highlight the unique risks facing high-value targets such as government agencies, which often struggle to act quickly due to bureaucratic hurdles,” Calpouzos added.“Organizations must move beyond reactive patching and prioritize visibility into software supply chain risks, especially for systems exposed to the public internet.”

The takeaway: even well-resourced, security-aware institutions like national governments can be blindsided by a rapidly professionalizing threat landscape — one where zero-day exploits become tools of both geopolitical leverage and commercial enterprise.


ANSSI warns that Houken and UNC5174 remain active and are likely to continue exploiting internet-facing infrastructure, especially endpoint managers and VPN appliances, in future campaigns. With public-sector targets increasingly sitting on the frontlines of cyber conflict, the race to secure digital perimeters is no longer a matter of if but when.

bottom of page