Government hackers are leading the use of attributed zero-days, Google says

Hackers working for governments were responsible for the majority of attributed zero-day exploits used in real-world cyberattacks last year, per new research from Google.

Google’s report said that the number of zero-day exploits — referring to security flaws that were unknown to the software makers at the time hackers abused them — had dropped from 98 exploits in 2023 to 75 exploits in 2024. But the report noted that of the proportion of zero-days that Google could attribute — meaning identifying the hackers who were responsible for exploiting them — at least 23 zero-day exploits were linked to government-backed hackers.

Among those 23 exploits, 10 zero-days were attributed to hackers working directly for governments, including five exploits linked to China and another five to North Korea. 

Another eight exploits were identified as having been developed by spyware makers and surveillance enablers, such as NSO Group, which typically claim to only sell to governments. Among those eight exploits made by spyware companies, Google is also counting bugs that were recently exploited by Serbian authorities using Cellebrite phone-unlocking devices.

Despite the fact that there were eight recorded cases of zero-days developed by spyware makers, Clément Lecigne, a security engineer at Google’s Threat Intelligence Group (GTIG), told TechCrunch that those companies “are investing more resources in operational security to prevent their capabilities being exposed and to not end up in the news.” 

Google added that surveillance vendors continue to proliferate. 

“In instances where law enforcement action or public disclosure has pushed vendors out of business, we’ve seen new vendors arise to provide similar services,” James Sadowski, a principal analyst at GTIG, told TechCrunch. “As long as government customers continue to request and pay for these services, the industry will continue to grow.” 

The remaining 11 attributed zero-days were likely exploited by cybercriminals, such as ransomware operators targeting enterprise devices, including VPNs and routers. 

The report also found that the majority of the total 75 zero-days exploited during 2024 were targeting consumer platforms and products, like phones and browsers; while the rest exploited devices typically found on corporate networks.

The good news, according to Google’s report, is that software makers defending against zero-day attacks are increasingly making it more difficult for exploit makers to find bugs.

“We are seeing notable decreases in zero-day exploitation of some historically popular targets such as browsers and mobile operating systems,” per the report.

Sadowski specifically pointed to Lockdown Mode, a special feature for iOS and macOS that disables certain functionality with the goal of hardening cellphones and computers, which has a proven track record of stopping government hackers; as well as Memory Tagging Extension (MTE), a security feature of modern Google Pixel chipsets that helps detect certain types of bugs and improve device security. 

Reports like Google’s are valuable because they give the industry, and observers, data points that contribute to our understanding of how government hackers operate — even if an inherent challenge with counting zero-days is that, by nature, some of them go undetected, and of those that are detected, some still go without attribution.