A cyber campaign believed to be orchestrated by China-affiliated threat actor has been targeting French organizations across several key sectors, including government, telecommunications, finance, media, and transport, according to France’s national cybersecurity agency ANSSI.
The campaign, dubbed “Houken,” was first detected in September 2024 but is believed to have been active since at least 2023.
According to a detailed report published by ANSSI’s Computer Emergency Response Team (CERT-FR), the Houken campaign uses both moderately sophisticated techniques and advanced tools, including the use of zero-day vulnerabilities, open-source software with suspected Chinese origins, custom-built webshells, and a Linux rootkit.
ANSSI believes that the Houken campaign is operated by the same threat actor tracked by Google’s Threat Intelligence Group as ‘UNC5174’, an entity believed to act as an initial access broker for China’s Ministry of State Security (MSS). The agency suggests that Houken may have been used to breach networks and sell access to state-linked intelligence actors.
The attackers exploited three critical vulnerabilities (CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380) targeting Ivanti Cloud Service Appliance devices. The exploits allowed for remote code execution and were used to deploy webshells, steal credentials via base64-encoded Python scripts, and install a rootkit through a kernel module.
Although the vulnerabilities were patched in September and October 2024, the campaign persisted at least until November of that year.
In several cases, the attackers attempted to self-patch the compromised systems, likely to maintain exclusive access and block other threat actors. Once initial access was secured, they conducted reconnaissance and moved laterally within internal networks.
The attack infrastructure supporting Houken was extensive, leveraging a combination of commercial VPN services, dedicated virtual private servers, and IP addresses from major ISPs including China Telecom, China Unicom, and international providers like Comcast and Airtel. The presence of tools created by Chinese-speaking developers, operational timing consistent with China Standard Time (UTC+8), and infrastructure linked to Chinese networks further point to China’s possible involvement.
