Government Hackers Drive Majority of Zero-Day Exploits in 2024 Cyberattacks
Google's 2024 report shows a decline in zero-day exploits but reveals government-backed hackers remain the primary threat actors. Of 75 exploits, 23 were linked to state-sponsored groups, including China and North Korea, and spyware firms like NSO Group. While consumer platforms are mostly targeted, advances like iOS Lockdown Mode and Google Pixel's MTE enhance defenses, signaling progress in cybersecurity.
In 2024, government-affiliated hackers were responsible for the majority of zero-day exploits used in real-world cyberattacks, according to new research from Google’s Threat Intelligence Group (GTIG). Zero-day exploits refer to security vulnerabilities unknown to software makers at the time they are exploited by attackers. While the total number of zero-day exploits decreased from 98 in 2023 to 75 in 2024, the proportion linked to government-backed actors remains significant.
Google attributed at least 23 zero-day exploits to government-backed hackers. Of these, 10 were directly linked to state-sponsored groups, with five tied to China and five to North Korea. Additionally, eight exploits were developed by spyware companies such as NSO Group, which typically sell their tools exclusively to governments. Notably, some exploits were used by Serbian authorities via Cellebrite phone-unlocking devices, illustrating the broad reach of these surveillance technologies.
Despite the presence of spyware vendors, Google’s security engineer Clément Lecigne noted these companies are investing heavily in operational security to avoid exposure and negative publicity. However, the spyware industry continues to grow as new vendors emerge to meet ongoing government demand for surveillance capabilities, according to GTIG principal analyst James Sadowski.
The remaining 11 attributed zero-day exploits were linked to cybercriminal groups, including ransomware operators targeting enterprise infrastructure such as VPNs and routers. Overall, most zero-day attacks in 2024 targeted consumer platforms like smartphones and web browsers, while a smaller portion affected corporate network devices.
On a positive note, Google’s report highlights improvements in software defenses that are making zero-day exploitation more difficult. For example, Apple’s Lockdown Mode for iOS and macOS has proven effective at blocking government hackers by disabling vulnerable functionalities. Similarly, Google Pixel’s Memory Tagging Extension (MTE) helps detect memory safety bugs, enhancing device security against exploits.
Google’s ongoing research into zero-day exploits provides critical insights into how government hackers and cybercriminals operate, informing the cybersecurity community and software developers. While some zero-days remain undetected or unattributed, these reports help shape defensive strategies and highlight the importance of continued innovation in security technologies.
As governments and private companies alike face increasing threats from sophisticated zero-day exploits, understanding the evolving landscape of cyberattacks is essential. The interplay between state-sponsored hackers, spyware vendors, and cybercriminals underscores the complexity of modern cybersecurity challenges and the need for robust, adaptive defenses.
AI Tools Built for Agencies That Move Fast.
QuarkyByte empowers cybersecurity teams with actionable intelligence on zero-day threats and government-backed exploits. Explore how our insights help you anticipate attack vectors, strengthen defenses on consumer and enterprise platforms, and stay ahead of evolving spyware tactics. Partner with QuarkyByte to fortify your security posture against sophisticated cyber adversaries.