# State-Sponsored Hackers Dominate Zero-Day Exploit Landscape, Google Report Reveals

## State-Sponsored Hackers Dominate Zero-Day Exploit Landscape, Google Report Reveals

A new report from Google sheds light on the evolving landscape of cybersecurity threats, revealing that government-backed actors are increasingly responsible for exploiting previously unknown vulnerabilities, known as zero-day exploits. While the overall number of zero-day exploits decreased in 2024 compared to the previous year, the proportion attributed to state-sponsored entities has risen sharply.

According to Google’s research, the total number of zero-day exploits dropped from 98 in 2023 to 75 in 2024. A zero-day exploit targets a security flaw unknown to the software vendor, making it particularly dangerous. However, the report highlights a concerning trend: of the exploits that could be attributed, at least 23 were linked to government-backed hackers.

Of those 23 attributed zero-days, 10 were directly traced to government-affiliated hackers, with China and North Korea each accounting for five exploits. Another eight were attributed to commercial spyware vendors like NSO Group, who typically claim to exclusively sell their tools to governments. This raises questions about the ethics and potential misuse of such powerful surveillance technologies. The report even points to instances where Serbian authorities allegedly used Cellebrite phone-unlocking devices, tools often acquired by law enforcement, to plant spyware on a journalist’s phone.

[Insert chart from the content here]

*A chart showing the zero-day exploits that were attributed in 2024. (Image: Google)*

Despite the controversy surrounding spyware vendors, Google notes that these companies are becoming more adept at hiding their activities. Clément Lecigne, a security engineer at Google’s Threat Intelligence Group (GTIG), stated that spyware makers “are investing more resources in operational security to prevent their capabilities being exposed and to not end up in the news.”

This increased focus on secrecy underscores the ongoing cat-and-mouse game between security researchers and exploit developers. The remaining 11 attributed zero-days were likely used by cybercriminals, targeting enterprise devices like VPNs and routers with ransomware attacks.

The report further highlights that the majority of the 75 exploited zero-days targeted consumer platforms and products such as phones and browsers, while the rest focused on corporate networks. This emphasizes the pervasive threat to both individual users and organizations.

However, the report offers some optimistic news: software vendors are making it increasingly difficult for exploit developers to find vulnerabilities. Google’s report notes “notable decreases in zero-day exploitation of some historically popular targets such as browsers and mobile operating systems.”

Specific examples include Apple’s Lockdown Mode, a hardened security feature for iOS and macOS devices that has demonstrably thwarted government-backed hackers, and Memory Tagging Extension (MTE), a security enhancement in modern Google Pixel chipsets that helps detect certain types of bugs.

While the inherent challenge of detecting and attributing all zero-day exploits remains, Google’s report provides valuable insights into the evolving threat landscape. By understanding how government hackers and cybercriminals operate, the industry and individuals can better defend against these sophisticated attacks and work towards a more secure digital future. These data points contribute significantly to our understanding of the current threat landscape and inform future cybersecurity strategies.