Chinese state-affiliated hackers infiltrated France’s most critical infrastructure sectors through a sophisticated cyber espionage campaign that compromised government ministries, defense contractors, telecommunications providers, financial institutions, media outlets, and transport networks.
Chinese state-affiliated hackers compromised France’s critical infrastructure including government ministries, defense contractors, telecommunications, financial institutions, media outlets, and transport networks.
The French cybersecurity agency ANSSI and Google Threat Intelligence Group attributed the operation, dubbed Houken, to UNC5174, a group suspected of operating on behalf of China’s Ministry of State Security.
The attack campaign began in September 2024, though investigators believe the activity traces back to 2023. Attackers exploited three critical zero-day vulnerabilities in Ivanti Cloud Service Appliance systems: CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380. These previously unknown security flaws permitted hackers to penetrate France’s most sensitive networks without detection, as vendors and cybersecurity defenders remained unaware of the vulnerabilities.
UNC5174 deployed sophisticated rootkits, particularly the sysinitd.ko and sysinitd executables, to maintain stealth and persistence within compromised systems. The hackers utilized open-source tools, often developed by Chinese-speaking programmers, alongside commercial VPNs and dedicated command-and-control servers to manage their operations. The breach resulted in damages estimated at average breach costs of $4.35 million.
Following initial compromise, the attackers conducted lateral movement through victims’ networks, targeting additional devices including F5 BIG-IP systems. Intelligence analysts assess that UNC5174 functions as an initial access broker, selling or sharing compromised network footholds with other state-linked actors.
This multi-party exploitation model involves one group uncovering vulnerabilities, another conducting large-scale exploitation, and third parties executing follow-on intelligence operations. The coordinated approach demonstrates persistent targeting of France’s critical national infrastructure for intelligence gathering purposes.
ANSSI first detected the intrusion in September 2024, launching a thorough investigation before publishing technical details through CERT-FR in July 2025. The delayed detection resulted from the attackers’ use of zero-day vulnerabilities unknown to security vendors at the time of exploitation. This campaign reflects a broader trend of supply chain attacks targeting critical infrastructure, similar to recent incidents affecting SentinelOne and other major organizations.
French investigators traced the attack tools and methodologies to the Chinese-speaking developer community, reinforcing attribution assessments. The campaign represents a significant escalation in state-sponsored cyber espionage targeting Western critical infrastructure.
Security agencies continue monitoring affected sectors for evidence of lateral movement and subsequent attacks, as the breach’s full scope remains under investigation across France’s telecommunications, financial, media, transport, and government networks.
