Google’s recent research indicates that government-affiliated hackers were responsible for the majority of attributed zero-day exploits in cyberattacks last year. The report from Google revealed a decrease in zero-day exploits, with numbers falling from 98 in 2023 to 75 in 2024. Among the attributed exploits, at least 23 were linked to government-backed hackers.
Of these 23 exploits, 10 were directly connected to government hackers, specifically five to China and five to North Korea. An additional eight exploits were developed by spyware companies and surveillance enablers, such as NSO Group, which typically sell these to governments. Within this group, exploits used by Serbian authorities via Cellebrite devices were noted.
Google’s security engineer, Clément Lecigne, mentioned that spyware companies are increasingly investing in operational security to avoid exposure. The report also highlighted the ongoing proliferation of surveillance vendors. James Sadowski from Google’s Threat Intelligence Group noted that as long as there is demand from government customers, this industry will continue to expand.
Furthermore, the remaining 11 zero-days were likely exploited by cybercriminals, including ransomware operators targeting enterprise devices such as VPNs and routers. Most of the 75 zero-days in 2024 targeted consumer platforms like phones and browsers, with others focusing on corporate network devices.
The report concluded with a positive note, stating that software developers are making progress in defending against zero-day attacks, particularly in reducing exploitation of popular targets such as browsers and mobile operating systems. Sadowski highlighted tools like Apple’s Lockdown Mode and the Memory Tagging Extension in Google Pixel chipsets as effective measures in thwarting government hackers.
Reports like these are crucial for understanding government hacking activities, although challenges remain in detecting and attributing zero-day exploits.
