France’s cybersecurity agency reported on Tuesday that a range of government, utility and private sector entities in the country were impacted by a hacking campaign last year exploiting multiple zero-day vulnerabilities in an Ivanti appliance.
The campaign, which had prompted a warning in September by U.S. cybersecurity authorities, targeted the Ivanti Cloud Service Appliance — a bit of software that connects on-premise networks with cloud-based services.
In France, the hacking campaign targeted “organizations from governmental, telecommunications, media, finance, and transport sectors,” stated the report from ANSSI — the Agence Nationale de la Sécurité des Systèmes d’Information (the National Agency for the Security of Information Systems) — exploiting bugs tracked as CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380.
The intrusion set — a term of art in threat intelligence used to group malicious activity for an evidence-based analysis — is being tracked under the codename Houken by ANSSI. The agency’s report said it suspects the Houken intrusion set “is operated by the same threat actor as the intrusion set previously described by Mandiant as UNC5174.”
The threat actor “might correspond to a private entity, selling accesses and worthwhile data to several state-linked bodies while seeking its own interests leading lucrative oriented operations,” reported ANSSI.
It noted that similar behavior had previously been observed around several Chinese-linked intrusion sets related to the APT41 cluster, which has been connected to a prolific number of campaigns, some for profit and some allegedly sponsored by China’s Ministry of State Security.
The thriving scene for contractor hackers in China has provoked widespread concern in the West about the capabilities it offers Beijing.
Earlier this year, the U.S. government filed dozens of criminal charges against hackers employed by the Chinese government in indictments that detailed an entire data brokerage ecosystem in the country, where commercial cyber intrusion groups sell access to networks and pilfered material to China’s intelligence services while also exploiting that access for their own criminal financial gain.
Access brokers
According to ANSSI, the hackers behind the Houken campaign showed a primary interest in breaking into systems so they could subsequently sell access to those systems on to state-linked intelligence agencies.
The French agency said it also “observed one case of data exfiltration as well as an interest in the deployment of cryptominers, indicating straight-forward profit-driven objectives.”
In March 2025, ANSSI said its investigations into Houken’s attack infrastructure uncovered the campaign to have compromised an email appliance belonging to a South American country’s ministry of foreign affairs.
The Houken operators were identified exfiltrating “a massive amount of emails using parts of a script available on a Chinese written blog,” stated ANSSI, although the agency said it was unclear whether intelligence collection was part of the threat actor’s motivation or if it was simply the result of a specific request from one of its sponsors.
ANSSI said the range of technical expertise on show in the campaign suggests “a multiparty approach” as described by Harfang Lab in its report on the Ivanti exploitations. At one end, the attackers exploited zero-day vulnerabilities and used a kernel-mode rootkit — or malware that attacks the core of a computer system — while also deploying publicly available Chinese tools and “noisy and rudimentary actions within victims’ environments,” ANSSI said.
The French cybersecurity agency warned that the Houken and UNC5174 intrusion sets remain active and “will likely be operated again to target internet-facing equipment, such as endpoint managers or VPN appliances, through worldwide and opportunistic vulnerability exploitation.”
Recorded Future
Intelligence Cloud.
