Government hackers were behind the majority of known zero-day exploits used in cyberattacks in 2024, according to new research from Google’s Threat Analysis Group (GTIG). While the overall number of zero-day exploits declined compared to the previous year, state-linked actors and spyware vendors remain dominant players in these high-impact security breaches.
Google’s report revealed that 75 zero-day vulnerabilities were exploited in real-world attacks in 2024, down from 98 zero-days in 2023. These zero-days represent security flaws that software vendors were unaware of at the time they were exploited by threat actors. While not all attacks could be attributed, the report identified 34 exploits that were clearly linked to specific threat groups.
State-Backed Hackers Behind a Growing Share
Among the 34 attributed zero-days, 23 were tied to government-affiliated hackers. Ten of those attacks were directly traced to state-sponsored groups, including five linked to China and five to North Korea. These exploits were primarily used in cyber-espionage operations, targeting devices and platforms commonly used by consumers and enterprises alike.
Clément Lecigne, a security engineer at GTIG, emphasized the sophistication of these groups and their operational security. “We continue to see well-resourced government attackers improving their stealth and capabilities,” he said
In addition to direct state actors, eight zero-days were traced back to commercial surveillance vendors, such as NSO Group and Cellebrite. These companies typically claim to sell hacking tools only to government clients, but their exploits are increasingly being exposed. For example, Serbian authorities were found to have used Cellebrite’s phone-unlocking tech in operations involving recent zero-day vulnerabilities.
According to Lecigne, spyware vendors are investing heavily in hiding their activity. “They are putting more resources into operational security to avoid exposure and keep their tools out of public reports,” he said.
GTIG’s James Sadowski added that even when law enforcement efforts force a surveillance company to shut down, others quickly take their place. “As long as governments continue to buy these services, this industry will keep growing,” he explained.
Cybercriminals Still in the Mix
The remaining 11 attributed zero-day exploits were used by cybercriminals, including ransomware groups. These actors primarily targeted enterprise infrastructure, such as VPN appliances and network routers, with the goal of gaining unauthorized access to corporate environments.
While government-sponsored and commercial actors accounted for most of the known exploits, cybercriminals continue to present a persistent threat—especially to businesses with outdated or poorly secured systems.
The report highlighted that a majority of the 75 zero-days were used to compromise consumer-facing platforms, such as mobile phones and web browsers. Fewer zero-days were aimed at enterprise-only technologies, though they remain valuable targets for sophisticated attackers.
However, Google sees a positive trend in how vendors are defending against these threats. “We are seeing notable decreases in zero-day exploitation of some historically popular targets, such as browsers and mobile operating systems,” the report stated.
Defensive Innovations Make a Difference
Sadowski credited improvements in software defenses for the decline in certain types of zero-day attacks. He pointed to features like Lockdown Mode on Apple devices and Memory Tagging Extension (MTE) on Google Pixel phones as effective tools in stopping sophisticated threats.
Lockdown Mode disables high-risk functions that are often targeted in attacks, offering extra protection for individuals facing advanced threats, such as journalists and activists. MTE, meanwhile, helps detect and mitigate memory-based vulnerabilities by tagging memory allocations—making it harder for attackers to execute successful exploits.
While the report provides valuable insights, Google acknowledges the inherent difficulty of tracking zero-day exploits. Many remain undetected, and among those discovered, attribution is often complex. Nonetheless, reports like this offer a rare look into how governments and surveillance firms deploy cutting-edge cyber weapons—and the evolving efforts to stop them.
