Necessary Always Active
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
|
||||||
|
||||||
|
||||||
|
Published on
April 29, 2025
5 min read
Majority of Zero-Day Attacks Attributed to Government-backed Hackers, Google Report Shows
Google research has established that last year, most of the attributed zero-day vulnerabilities were conducted by hackers working for the government. According to TechCrunch, Google zero-day attacks reduced from 98 vulnerabilities in 2023 to 74 in 2024. However, the number of vulnerabilities found in 2024 were more than the 63 identified in 2022.
A zero-day attack is a form of cyberattack that focuses on a software vulnerability that is not known to the product or software maker. Since the vulnerability is not known, there isn’t a patch available to fix it at the time of exploitation.
Hackers leverage unknown vulnerability to get unauthorized access to computer systems in order to disrupt them and steal data before defenses are implemented. Although Google’s threat analysis report showed a drop in these attacks, it noted that at least 23 of the zero-day exploits identified were linked to government hackers.
10 of these government-backed zero-day attacks were linked to hackers working directly for the government. Google found that non-espionage groups like CIGAR and FIN11 were leveraging zero-day vulnerabilities in campaigns that focused on espionage and extortion. For the first time, state-backed hackers from North Korea matched those from China– with each having 5 zero-day attacks attributed to them.
Growing Spyware Threat
Google’s cyberattack threat report also identified 8 vulnerabilities that were created by spyware designers and surveillance facilitators like the NSO Group. Out of these vulnerabilities, Google included bugs that the Serbian authorities exploited through phone-unlocking devices.
Google says that spyware companies are spending more on operational security to protect their capabilities and ensure that they’re not highlighted in the news. Google also said that surveillance vendors are increasing rapidly.
“In instances where law enforcement action or public disclosure has pushed vendors out of business, we’ve seen new vendors arise to provide similar services. As long as government customers continue to request and pay for these services, the industry will continue to grow,” Principal Analyst at Google’s Threat Intelligence Group (GTIG) James Sadowski said.
Targeting Enterprise
In its report, Google isolated 11 zero-day attacks that targeted enterprise devices like routers and VPNs. The report linked these attacks to cybercriminals like ransomware operators. Hackers are attracted to security and networking appliances because they provide wide access to networks. Monitoring capabilities of these appliances is also weaker.
Google also found that last year, the majority of the zero-day vulnerabilities were directed at consumer products and platforms like browsers and phones. The rest targeted corporate networks.
“We’re seeing zero-day exploitation shift towards enterprise-focused products, which requires a wider and more diverse set of vendors to increase proactive security measures. The future of zero-day exploitation will ultimately be dictated by vendors’ decisions and ability to counter threat actors’ objectives and pursuits,” Casey Charrier, Senior Analyst at GTIG said in a statement.
The Good News
The latest zero-day attacks report came with some good news. Google noted that software manufacturers are building defenses around these types of attacks. These defenses are making it difficult for hackers to find bugs and empowering their customers to build cyber resilience.
“We are seeing notable decreases in zero-day exploitation of some historically popular targets such as browsers and mobile operating systems,” the report stated.
Some examples highlighted by Sadowski included an iOS and macOS feature, Lockdown Mode that disables specific functionalities to harden devices. This feature has been successful at stopping government hackers. Google Pixel’s Memory Tagging Extension is another security feature that detects specific bugs and boosts device security.
“Zero-day exploitation continues to grow at a slow but steady pace. However, we’ve also started seeing vendors’ work to mitigate zero-day exploitation start to pay off,” Charrier added.
