The French National Agency for the Security of Information Systems (ANSSI) has revealed a large-scale cyberattack that occurred last year, directly impacting government agencies and critical national infrastructure, including telecommunications, media, finance, and transportation sectors.
What Happened?
This attack leveraged three Zero-Day vulnerabilities in Ivanti Cloud Services Appliance (CSA) systems:
- CVE-2024-8190
- CVE-2024-8963
- CVE-2024-9380
The attackers used these vulnerabilities to breach systems, steal login credentials, and embed tools allowing continuous long-term access to victim networks.
The Masterminds: UNC5174 Group or “Uteus”
Both ANSSI and Mandiant point to the group known as UNC5174 or "Uteus" as the culprits. This group has clear ties to the Chinese Ministry of State Security and previously acted as hacktivists, now operating as a "contractor" or Initial Access Broker. UNC5174 has previously attacked various edge devices, including ConnectWise ScreenConnect, F5 BIG-IP, Atlassian Confluence, Linux Kernel, and Zyxel Firewalls.
In the French case, this group used a sophisticated exploitation toolkit called "Houken" which features:
- Use of Zero-Days for system entry
- Installation of an advanced rootkit named sysinitd.ko
- Use of popular web shells like Behinder and neo-reGeorg
- Utilization of tunneling tools such as GOREVERSE and GOHEAVY
- Reliance on commercial VPNs and dedicated servers to hide their tracks
Surprisingly, they even attempted to patch the exploited vulnerabilities themselves after embedding, likely to prevent other groups from using the same entry points!
Multi-Party Strategy and Complex Motivations
A report from HarfangLab indicates this operation involved a multi-party, "division of labor" strategy with the following steps:
- The first party identifies vulnerabilities.
- The second party exploits vulnerabilities for widespread system entry.
- Access rights are then shared or sold to a third party for further use.
Although the attack appeared to have intelligence-gathering as its primary goal, in some cases, the attackers were also observed using their access to install cryptocurrency miners for financial gain. This suggests a diverse and complex set of motivations behind the attacks.
Ivanti: A Hacker's Favorite Software
Ivanti has become one of the software vendors with the most frequently exploited vulnerabilities, particularly within its CSA product line. Data from CISA (US) confirms:
- Over the past four years, 30 Ivanti vulnerabilities have been actively exploited.
- In 2025 alone, at least 7 vulnerabilities have already been exploited.
Ivanti's Statement
An Ivanti spokesperson clarified: "This incident affected only older, end-of-life versions of Cloud Services Appliance. Customers using newer or patched versions were not affected." The company confirmed they released a patch in 2024 and recommended customers upgrade to CSA version 5.0, which was not affected by these vulnerabilities, emphasizing: "Customer security remains our top priority, and we are committed to continuously supporting them."
Key Takeaway: Lessons from a Global Cyber Threat
This attack serves as a clear example of the complexity in today's cybersecurity landscape, featuring collaboration between state-affiliated and private hacking groups, the use of advanced, in-depth tools, and a blend of intelligence-gathering and financial motivations.
Organizations across all sectors should closely monitor for Zero-Day vulnerabilities, consistently update their systems, and strengthen proactive detection to prevent similar stealthy attacks in the future.