Government Hackers Lead in Zero-Day Exploits, Google Reports

Government-Backed Hackers Dominate Zero-Day Exploitation

Recent research conducted by Google indicates that hackers affiliated with various governments were responsible for the majority of documented zero-day exploits utilized in actual cyberattacks throughout the previous year.

Decline in Overall Exploits, Rise in State-Sponsored Activity

Google’s analysis revealed a decrease in the total number of zero-day exploits observed, falling from 98 in 2023 to 75 in 2024. A zero-day exploit refers to a security vulnerability unknown to the software vendor when it is actively exploited.

However, a significant portion of the exploits Google was able to attribute to specific actors were linked to government-backed hacking groups. At least 23 zero-day exploits were traced back to these state-sponsored entities.

Specific Government Actors Identified

Of these 23 exploits, 10 were directly attributed to hackers employed by governments. This included five exploits connected to Chinese government operations and an additional five linked to North Korean hacking groups.

Spyware Vendors and Government Connections

Furthermore, eight exploits originated from spyware developers and surveillance technology providers, such as NSO Group, who generally assert they only sell their products to governmental organizations.

Google’s assessment also encompasses vulnerabilities recently exploited by Serbian authorities utilizing Cellebrite phone-unlocking technology.

Operational Security Improvements by Spyware Companies

Despite the eight zero-days linked to spyware vendors, Clément Lecigne, a security engineer with Google Threat Intelligence Group (GTIG), noted to TechCrunch that these companies are enhancing their operational security measures.

This is being done to prevent exposure of their capabilities and avoid negative publicity.

The Persistence of the Surveillance Industry

Google also highlighted the continued growth of the surveillance vendor landscape.

As stated by James Sadowski, a principal analyst at GTIG, “When law enforcement action or public disclosure forces vendors to cease operations, new vendors emerge to offer comparable services.” He further explained that the industry will persist as long as governments continue to demand and fund these services.

Cybercriminal Involvement

The remaining 11 attributed zero-days were likely exploited by cybercriminals, including ransomware operators targeting corporate infrastructure like VPNs and routers.

Targeted Platforms

The report indicated that the majority of the 75 zero-days exploited in 2024 targeted consumer-facing platforms and products, such as smartphones and web browsers. The remainder impacted devices commonly found on corporate networks.

Improved Defenses by Software Vendors

According to Google’s report, software developers are becoming more effective at defending against zero-day attacks, making it increasingly challenging for exploit developers to discover vulnerabilities.

“We are observing significant reductions in zero-day exploitation targeting historically popular targets, including browsers and mobile operating systems,” the report states.

Impact of Security Features

Sadowski specifically cited Lockdown Mode, a security feature available on iOS and macOS designed to harden devices by disabling certain functionalities, as demonstrably effective against government hackers.

He also mentioned Memory Tagging Extension (MTE), a security feature integrated into modern Google Pixel chipsets, which aids in detecting specific types of bugs and bolstering device security.

Value of Industry Data

Google’s reports are considered valuable resources for the cybersecurity industry and observers, providing data points that enhance our understanding of government hacker tactics.

However, it’s acknowledged that accurately counting zero-days presents inherent challenges, as some vulnerabilities remain undetected, and attribution can be difficult even when detected.