French Government Caught in Crosshairs of Sophisticated Ivanti Exploit Campaign

In a stark warning that blends espionage, profit-driven cybercrime, and software supply chain failures, France’s top cybersecurity agency has confirmed that a string of government and critical infrastructure entities were compromised during a 2023 hacking campaign targeting Ivanti’s Cloud Service Appliance (CSA).

The agency, ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information), disclosed that the attackers exploited multiple zero-day vulnerabilities — CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380 — to infiltrate organizations spanning France’s governmental, media, transport, and financial sectors. The campaign, which now goes by the codename Houken, is believed to be tied to the same threat group tracked by Mandiant as UNC5174.

But this wasn’t just a one-off smash-and-grab. According to ANSSI’s detailed analysis, Houken operated more like a cyber mercenary group than a nation-state APT, brokering access to compromised systems and selectively exfiltrating data — possibly at the request of paying intelligence clients.

That model is disturbingly familiar. The Houken playbook echoes behavior previously attributed to Chinese-affiliated APT41 — a group notorious for its dual-track operations serving both national espionage objectives and financially motivated campaigns. It’s a blueprint that creates distance between state sponsors and cyber activity, a tactic analysts say gives regimes like Beijing plausible deniability while still benefiting from stolen data and cyber access.

The U.S. government has previously raised alarms about this growing ecosystem of state-aligned contractors. In early 2025, American prosecutors indicted multiple individuals for selling stolen data to Chinese intelligence agencies while simultaneously monetizing the same breaches for personal gain — a criminal-commercial hybrid that’s quickly becoming the status quo in advanced threat operations.

ANSSI’s report suggests Houken follows a similar model. In one instance, attackers exfiltrated massive troves of email from a South American foreign ministry using scripts lifted from a Chinese-language blog. Whether the target was chosen for strategic espionage or because a paying customer ordered it remains unclear.

Garrett Calpouzos, Principal Security Researcher at Sonatype, says the Houken campaign is a glaring example of how threat actors are not just evolving — they’re optimizing.

In other words, these hackers weren’t just infiltrating systems — they were fortifying their own beachheads to lock out rivals and reduce the chance of discovery.

Houken’s operational footprint also points to a wide-ranging coalition or tool-sharing network. ANSSI noted evidence of both elite capabilities — such as the use of a kernel-mode rootkit — alongside clumsy, low-opsec tactics like the deployment of noisy open-source scripts. This blend of tradecraft supports what cybersecurity firm Harfang Lab has called a “multiparty approach,” where multiple actors work toward overlapping objectives under a shared infrastructure umbrella.

The takeaway: even well-resourced, security-aware institutions like national governments can be blindsided by a rapidly professionalizing threat landscape — one where zero-day exploits become tools of both geopolitical leverage and commercial enterprise.

ANSSI warns that Houken and UNC5174 remain active and are likely to continue exploiting internet-facing infrastructure, especially endpoint managers and VPN appliances, in future campaigns. With public-sector targets increasingly sitting on the frontlines of cyber conflict, the race to secure digital perimeters is no longer a matter of if but when.