Chinese state-sponsored threat actors exploited three zero-day vulnerabilities in Ivanti CSA solutions to access French government agencies and other commercial entities such as telcos, finance, and transportation organizations.
The attackers abused the vulnerabilities to steal login credentials and establish persistence on target endpoints, using techniques like deploying PHP web shells and installing kernel modules acting as a rootkit.
The attacks were attributed to a group named Houken, known for exploiting vulnerabilities in SAP NetWeaver previously, and sold the gained access to French government devices, believed to be targeting valuable intelligence and sensitive data.
The French National Agency for the Security of Information Systems (ANSSI) confirmed the breaches, linking the attacks to Chinese state-sponsored actors, while noting the group Houken had targeted various sectors beyond Western entities.