Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Hackers Targeted French Government Entities, ANSSI Said
A hacking campaign linked to Chinese threat actors chained zero-days in Ivanti server software to target French government, defense and media entities, the national cyber agency said.
See Also: OnDemand | North Korea’s Secret IT Army and How to Combat It
The French National Agency for Information Systems Security, or ANSSI, said Tuesday it observed French organizations affected by activity using a slew of security flaws to break into an end-of-life version of the Utah company’s Cloud Services Appliance applications. The campaign affected government agencies, telecoms and firms in the media, finance and transport sectors. ANSII dubs the intrusion set “Houken” (see: Ivanti CSA Customers Targeted in New Zero-Day Attacks).
The hacker used a wide number of open-source tools “mostly crafted by Chinese-speaking developers,” were active during Chinese working hours and exhibited behaviors consistent with intelligence collection. The threat actor also sought self-enrichment, installing a cryptominer on one victim system. Chinese nation-state hacking is an unusual combination of intelligence agencies and private sector companies. Some hackers choose their own targets and sell exfiltrated data or access to government agencies – or may do for-profit hacking on the side. “Nevertheless, the use of cryptominers remains uncommon for this threat actor,” ANSSI wrote.
Based on the similarities in the toolsets used, such as fileless backdoor VShell and a reverse shell backdoor known as Goreverse, the Houken hacker is likely linked to a Chinese threat actor tracked as UNC5174 by Mandiant. The Google-owned threat intel firm describes UNC5174 as an individual likely acting as an initial access contractor for China’s Ministry of State Security and believed to go by the online handle “Uteus” (see: Likely Chinese Hacking Contractor Is Quick to Exploit N-Days).
Like UNC5174, the Houken operator likely sells access to hacked networks to Beijing-linked hackers – although ANSII also uncovered the Houken operator directly exfiltrating a massive number of emails from the ministry of foreign affairs of an unnamed South American country.
The campaign began with the hackers chaining two Ivanti zero-days tracked as CVE-2024-8190 and CVE-2024-9380 as well as CVE-2024-8963 to deploy a previously unseen rootkit variant.
Once in the victim’s environment, the threat group used open-source tools available on GitHub and webshells previously associated with Chinese-speaking developers. Attackers also relied on anonymization services NordVPN or Express virtual private network.
The Houken operator also used proxy networks consisting of residential or mobile IP addresses as part of the hack. The Paris Public Prosecutor’s Office in 2024 launched a preliminary investigation into a “network of machine zombies,” linked to Chinese nation state groups, although it is unclear if the networks are linked to Houken operators (see: French Government Investigates Suspected Chinese Espionage).
The hacker behind Houken, as well as UNC5174, are active, the French agency warned. “Both intrusion sets will likely be operated again to target internet-facing equipment, such as endpoint managers or VPN appliances, through worldwide and opportunistic vulnerability exploitation.”
