Government Hackers Lead Zero-Day Exploit Use in 2024

Government-backed hackers were the primary users of attributed zero-day exploits in 2024, according to new research from Google. The report reveals a shift in the landscape of cyberattacks, with state-sponsored actors playing a more prominent role.

Zero-Day Exploits Decline, But Government Use Increases

Google's Threat Intelligence Group (GTIG) reported a decrease in the total number of zero-day exploits from 98 in 2023 to 75 in 2024. Zero-day exploits are software vulnerabilities unknown to the vendor at the time of exploitation. However, of the attributed exploits, at least 23 were linked to government-backed hackers.

Ten of these exploits were directly attributed to government hackers, with five linked to China and five to North Korea. An additional eight exploits were connected to spyware makers and surveillance companies, often selling their services to governments. This includes exploits used by Serbian authorities with Cellebrite phone-unlocking devices.

Chart of attributed zero-day exploits in 2024, showing government and commercial surveillance vendor involvement.
Attributed zero-day exploits in 2024 (Image: Google)

Despite the documented cases, spyware vendors are increasing their operational security to avoid detection, according to Clément Lecigne, a security engineer at GTIG.

Spyware vendors are investing more resources in operational security to prevent their capabilities being exposed.

Surveillance Industry Continues to Grow

The surveillance industry continues to expand, with new vendors emerging to replace those shut down by law enforcement or public exposure. James Sadowski, a principal analyst at GTIG, notes that government demand fuels this growth.

As long as government customers continue to request and pay for these services, the industry will continue to grow.

The remaining 11 attributed zero-days were likely used by cybercriminals, often targeting enterprise devices like VPNs and routers.

Consumer Platforms Remain Primary Targets

Most of the 75 zero-day exploits in 2024 targeted consumer platforms like phones and browsers. However, software makers are improving defenses, making it harder for attackers to find vulnerabilities.

Improved Security Measures Show Promise

Google's report highlights a decrease in zero-day exploitation of browsers and mobile operating systems. Sadowski credits security features like Apple's Lockdown Mode and the Memory Tagging Extension (MTE) in Google Pixel chipsets for increased protection.

While some zero-day exploits inevitably go undetected, Google's report provides valuable insights into the tactics of government hackers and the evolving cybersecurity landscape.