In a recent analysis, Google’s Threat Intelligence Group (GTIG) has revealed that government-backed hackers were responsible for the majority of zero-day exploits identified in cyberattacks throughout 2024. Zero-day vulnerabilities are security flaws unknown to software vendors at the time of exploitation, making them particularly valuable for conducting covert operations.
The report indicates a decrease in the total number of zero-day exploits, from 98 in 2023 to 75 in 2024. However, of the 34 exploits that Google could attribute to specific actors, 23 were linked to state-sponsored groups. Notably, five exploits were associated with Chinese government hackers, and another five with North Korean state-sponsored actors.
In addition to direct government involvement, eight zero-day exploits were traced back to commercial surveillance vendors, such as the NSO Group. These companies develop and sell sophisticated spyware tools, often claiming to serve only government clients. The report also highlights instances where Serbian authorities utilized zero-day vulnerabilities through Cellebrite’s phone-unlocking devices.
Clément Lecigne, a security engineer at GTIG, noted that spyware vendors are increasingly investing in operational security to prevent their tools from being exposed and scrutinized in public forums. Despite efforts to curb their activities, the proliferation of surveillance vendors continues. James Sadowski, a principal analyst at GTIG, emphasized that as long as there is demand from government entities willing to pay for these services, the industry will persist and evolve.
The remaining 11 attributed zero-day exploits were likely utilized by cybercriminals, including ransomware operators targeting enterprise devices such as VPNs and routers.
The report also sheds light on the targets of these zero-day exploits. The majority were aimed at consumer platforms and products, including smartphones and web browsers, while the rest focused on devices commonly found within corporate networks.
On a positive note, the report acknowledges that software developers are making strides in defending against zero-day attacks. There has been a notable decrease in the exploitation of traditionally popular targets like browsers and mobile operating systems. Sadowski highlighted Apple’s introduction of Lockdown Mode for iOS and macOS as a significant advancement. This feature disables certain functionalities to reduce the attack surface, thereby enhancing user security.
The findings underscore the ongoing arms race between cyber attackers and defenders. While government-backed hackers continue to leverage zero-day vulnerabilities for espionage and surveillance, the cybersecurity community is actively developing and implementing measures to mitigate these threats.
