Government-backed hackers were responsible for the majority of attributed zero-day exploit activity detected globally in 2024, according to new research from Google. In a detailed examination released recently, Google’s Threat Intelligence Group (GTIG) reported that the number of zero-day vulnerabilities exploited last year dropped from 98 in 2023 to 75 in 2024. These zero-days are security flaws that software manufacturers were unaware of before hackers exploited them for cyberattacks.
Of the vulnerabilities that researchers successfully attributed to known actors, at least 23 were directly linked to state-sponsored entities or surveillance companies used by governments. Specifically, hackers operating under the guidance or direction of national governments accounted for 10 of these exploits—five tied to China and another five to North Korea.
Spyware and surveillance vendors, companies which typically market their products explicitly to governments, produced another eight of the zero-day exploits noted by Google. Included in this tally were attacks linked to infamous spyware manufacturer NSO Group and more recent evidence of exploits associated with Cellebrite, whose technologies Serbian authorities reportedly used unlawfully to access and compromise journalists’ phones.
Google security engineer Clément Lecigne underscored the increased secrecy among spyware firms, noting these companies have intensified their operational security measures specifically to avoid detection and negative publicity. Despite periodic crackdowns and public exposure, Google’s analysts emphasize the continuous growth of this covert market. James Sadowski, principal analyst at GTIG, explained that even when prominent vendors are forced out of business due to legal pressures or damaging revelations, new firms inevitably step in to serve state clients seeking surveillance and espionage capabilities.
The remaining 11 attributed zero-days are believed to have come from criminal groups and ransomware operators targeting corporate infrastructure such as VPNs and routers, critical components of enterprise networks. Google’s report also highlights that the bulk of the 2024 zero-day exploits targeted consumer technologies, such as mobile phones and web browsers, alongside corporate network devices.
Encouragingly, Google’s data suggests that advances in software defenses are successfully making it more challenging for malicious actors to discover and exploit zero-days. There has been a considerable decrease in zero-day exploits against commonly targeted applications like web browsers and mobile operating systems, largely due to enhanced security features like Apple’s Lockdown Mode—an option available to iOS and macOS users that significantly limits device functionality to thwart espionage attempts—and Google’s own Memory Tagging Extension (MTE), a security enhancement in Pixel phones designed to detect and neutralize certain bug types.
Reports such as Google’s illustrate essential trends in cyber threats, providing industry stakeholders valuable insights into the operations and methods of state-linked cyber activities. However, security experts caution that quantifying zero-day attacks remains challenging, as sophisticated attacks often escape detection, and even detected breaches can frequently defy attribution.
