Zero-Day Exploits: Government Hackers Take the Lead in 2024, Google Report Reveals
A new report from Google reveals a concerning trend: government-backed hackers are increasingly dominating the landscape of zero-day exploit usage. While the overall number of zero-day exploits decreased in 2024, the proportion attributed to governments and state-affiliated actors has risen sharply, raising alarms about the evolving nature of cyber warfare and digital espionage. This shift necessitates a more robust and proactive approach to cybersecurity, particularly for enterprises.
Google's Threat Intelligence Group (GTIG) found that the total number of zero-day exploits dropped from 98 in 2023 to 75 in 2024. A zero-day exploit refers to a security flaw unknown to the software vendor at the time it's exploited by hackers. However, the data reveals that of the attributed zero-days, at least 23 were linked to government actors. This includes 10 exploits directly attributed to governments, with five linked to China and five to North Korea, demonstrating a significant escalation in state-sponsored cyber activity.
Adding to the concern, eight more exploits were attributed to commercial surveillance vendors (CSVs) like NSO Group and Cellebrite, companies that often claim to sell exclusively to governments. These findings suggest that despite efforts to regulate and sanction such vendors, they continue to play a significant role in enabling government hacking operations.
Clément Lecigne, a security engineer at Google’s GTIG, noted that surveillance vendors are becoming more adept at hiding their activities, investing in operational security to avoid public exposure. James Sadowski, a principal analyst at GTIG also highlighted the concerning trend of new vendors emerging to fill the void left when others are pushed out of business, driven by continued demand from government customers.
While government-backed entities dominate the attributed attacks, cybercriminals also play a role. Approximately 11 of the attributed zero-days were likely exploited by ransomware operators targeting enterprise devices, including VPNs and routers. This underscores the multifaceted threat landscape, requiring businesses to defend against both sophisticated state-sponsored attacks and more conventional financially motivated cybercrime.
The report also indicates a shift in targets. While user systems like browsers and smartphones were the primary targets a few years ago, in 2024, a significant 44% of zero-days were aimed at enterprise technologies and security systems. This makes security and network tools prime targets, as they often connect widespread systems with high permissions.
Despite the concerning trends, there is some good news. Google reports that software makers are making it more difficult for exploit developers to find and exploit bugs. Features like Apple's Lockdown Mode for iOS and macOS, and Google Pixel's Memory Tagging Extension (MTE) are proving effective in stopping government hackers and improving device security.
While overall zero-day exploitation continues to grow, vendors’ work to mitigate such attacks is beginning to pay off, according to Casey Charrier, Senior Analyst at GTIG. However, the shift towards enterprise targets means a wider range of vendors must increase proactive security measures to counter threat actors' objectives.
Google recommends that enterprises prioritize stronger detection and blocking of malicious activities, while also designing systems with redundancy and strict access controls. What steps is your organization taking to address this evolving threat landscape? Share your thoughts and strategies in the comments below.
