Government Hackers Pioneering Attributed Zero-Day Exploits, According to Google

In a recent report, Google revealed that government-backed hackers were primarily responsible for the majority of zero-day exploits used in real-world cyberattacks during 2024. This significant finding sheds light on the evolving landscape of cybersecurity threats and emphasizes the importance of vigilance against such vulnerabilities.

Overview of Zero-Day Exploits in 2024

According to Google’s findings, the total number of zero-day exploits—security flaws unknown to software developers at the time of exploitation—decreased from 98 in 2023 to 75 in 2024. However, the report highlights that at least 23 of these exploits were attributed to government-affiliated hackers.

Government-Linked Exploits

• Ten zero-days were directly linked to hackers operating on behalf of governments, with five attributed to China and another five to North Korea.
• Additionally, eight exploits were associated with spyware vendors like NSO Group, which typically claim their products are sold exclusively to government entities. Among these, exploits were noted from Serbian authorities using Cellebrite phone-unlocking devices.

The Role of Spyware Makers

Clément Lecigne, a security engineer at Google’s Threat Intelligence Group (GTIG), mentioned in an interview with TechCrunch that spyware companies are increasing their investment in operational security to prevent their tools from being exposed in the media.

James Sadowski, a principal analyst at GTIG, noted, “As long as government customers continue to request and pay for these services, the industry will continue to grow.” This suggests a persistent demand for surveillance technologies, despite some vendors being pushed out of business due to law enforcement actions or public scrutiny.

Cybercriminal Activity and Zero-Day Usage

The report also suggests that the remaining 11 attributed zero-days were likely exploited by cybercriminals, including ransomware operators targeting enterprise devices like VPNs and routers.

Trends in Exploited Platforms

Interestingly, the majority of the 75 zero-days exploited in 2024 targeted consumer platforms and products, such as:

• Mobile phones
• Web browsers

In contrast, the remaining exploits were aimed at devices typically found in corporate networks.

Improvements in Cyber Defense

Despite the ongoing threat of zero-day exploits, Google’s report offers some positive news: software developers are enhancing their defenses against these attacks. The report states:

“We are seeing notable decreases in zero-day exploitation of some historically popular targets such as browsers and mobile operating systems.”

Sadowski pointed out features like Lockdown Mode for iOS and macOS, designed to disable certain functionalities to protect devices from government hackers, as well as the Memory Tagging Extension (MTE) in modern Google Pixel chipsets that helps identify specific bugs and boost overall security.

The Importance of Awareness in Cybersecurity

Reports such as Google’s are crucial for understanding the operational tactics of government hackers. However, it’s important to remember that some zero-day exploits remain undetected, and even those that are discovered may not always be properly attributed.

For more insights into cybersecurity trends and zero-day vulnerabilities, visit our cybersecurity resources page or explore external articles from CSO Online.