\n<\/p>\n
Hackers working for governments were responsible for the majority of attributed zero-day exploits used in real-world cyberattacks last year, per new research from Google<\/a>.<\/p>\n Google\u2019s report said that the number of zero-day<\/a> exploits \u2014 referring to security flaws that were unknown to the software makers at the time hackers abused them \u2014 had dropped from 98 exploits in 2023 to 75 exploits in 2024. But the report noted that of the proportion of zero-days that Google could attribute \u2014 meaning identifying the hackers who were responsible for exploiting them \u2014 at least 23 zero-day exploits were linked to government-backed hackers.<\/p>\n Among those 23 exploits, 10 zero-days were attributed to hackers working directly for governments, including five exploits linked to China and another five to North Korea.\u00a0<\/p>\n Another eight exploits were identified as having been developed by spyware makers<\/a> and surveillance enablers, such as NSO Group, which typically claim to only sell to governments. Among those eight exploits made by spyware companies, Google is also counting bugs<\/a> that were recently exploited<\/a> by Serbian authorities using Cellebrite phone-unlocking devices.<\/p>\n Despite the fact that there were eight recorded cases of zero-days developed by spyware makers, Cl\u00e9ment Lecigne, a security engineer at Google\u2019s Threat Intelligence Group (GTIG), told TechCrunch that those companies \u201care investing more resources in operational security to prevent their capabilities being exposed and to not end up in the news.\u201d\u00a0<\/p>\n Google added that surveillance vendors continue to proliferate.\u00a0<\/p>\n \u201cIn instances where law enforcement action or public disclosure has pushed vendors out of business, we\u2019ve seen new vendors arise to provide similar services,\u201d James Sadowski, a principal analyst at GTIG, told TechCrunch. \u201cAs long as government customers continue to request and pay for these services, the industry will continue to grow.\u201d\u00a0<\/p>\n The remaining 11 attributed zero-days were likely exploited by cybercriminals, such as ransomware operators targeting enterprise devices<\/a>, including VPNs and routers.\u00a0<\/p>\n The report also found that the majority of the total 75 zero-days exploited during 2024 were targeting consumer platforms and products, like phones and browsers; while the rest exploited devices typically found on corporate networks.<\/p>\n The good news, according to Google\u2019s report, is that software makers defending against zero-day attacks are increasingly making it more difficult for exploit makers to find bugs.<\/p>\n \u201cWe are seeing notable decreases in zero-day exploitation of some historically popular targets such as browsers and mobile operating systems,\u201d per the report.<\/p>\n Sadowski specifically pointed to Lockdown Mode<\/a>, a special feature for iOS and macOS that disables certain functionality with the goal of hardening cellphones and computers, which has a proven track<\/a> record<\/a> of stopping government hackers; as well as Memory Tagging Extension<\/a> (MTE), a security feature of modern Google Pixel chipsets that helps detect certain types of bugs and improve device security.\u00a0<\/p>\n Reports like Google\u2019s are valuable because they give the industry, and observers, data points that contribute to our understanding of how government hackers operate \u2014 even if an inherent challenge with counting zero-days is that, by nature, some of them go undetected, and of those that are detected, some still go without attribution.<\/p>\n<\/div>\n