Dangerous out there
Google: Governments are using zero-day hacks more than ever
Google says zero-day threats are trending upward even as total detections fell in 2024.
Ryan Whitwam
–
Apr 29, 2025 12:53 pm
|
9
Credit:
Google
Credit:
Google
Text
settings
Story text
Size
Small
Standard
Large
Width
*
Standard
Wide
Links
Standard
Orange
* Subscribers only
Learn more
Minimize to nav
Last year was big for zero-day exploits, security threats that appear in the wild before vendors have a chance to develop patches. Through its sprawling network of services and research initiatives, Google is the first to spot many of these threats. In a new report from the Google Threat Intelligence Group (GTIG), the company reveals it detected 75 zero-day exploits in 2024, which is a bit lower than the previous year. Unsurprisingly, a sizable chunk of them was the work of state-sponsored hackers.
According to Google, zero-day exploits are becoming increasingly easy for threat actors to develop and procure, which has led to more sophisticated attacks. While end-user devices are still regularly targeted, GTIG notes that the trend over the past few years has been for these vulnerabilities to target enterprise systems and security infrastructure. There were 98 zero-days detected in 2023 versus 75 in 2024, but Google says the overall trend in enterprise threats is increasing.
That's not to say the products you use every day are safe from sneaky hacks—a slim majority of GTIG's 2024 zero-day threats still targeted users. In fact, Google says hackers were even more interested in certain platforms last year compared to the year before.
Credit:
Google
Windows exploits increased from 16 to 22, by far the single largest contributor to the total. Safari and iOS both fell to three and two zero-days, respectively—down from eleven and nine zero-days in 2023. Android held steady with seven hacks, and Chrome had the same, which was one higher than 2023. Firefox was untargeted in 2023, but it was the subject of one zero-day attack in 2024.
Google has a few examples of the zero-day hacks it detected, as well as a full report (PDF) with technical details. One of Google's callouts is the CIGAR Local Privilege Escalation, which targeted Firefox and Tor browsers in late 2024. The CIGAR group, which is linked to Russia, used what is now known as CVE-2024-9680 to execute remote code on target machines running Firefox 131 to harvest user data.
Governments hacking enterprise
A few years ago, zero-day attacks almost exclusively targeted end users. In 2021, GTIG spotted 95 zero-days, and 71 of them were deployed against user systems like browsers and smartphones. In 2024, 33 of the 75 total vulnerabilities were aimed at enterprise technologies and security systems. At 44 percent of the total, this is the highest share of enterprise focus for zero-days yet.
GTIG says that it detected zero-day attacks targeting 18 different enterprise entities, including Microsoft, Google, and Ivanti. This is slightly lower than the 22 firms targeted by zero-days in 2023, but it's a big increase compared to just a few years ago, when seven firms were hit with zero-days in 2020.
The nature of these attacks often makes it hard to trace them to the source, but Google says it managed to attribute 34 of the 75 zero-day attacks. The largest single category with 10 detections was traditional state-sponsored espionage, which aims to gather intelligence without a financial motivation. China was the largest single contributor here. GTIG also identified North Korea as the perpetrator in five zero-day attacks, but these campaigns also had a financial motivation (usually stealing crypto).
Credit:
Google
That's already a lot of government-organized hacking, but GTIG also notes that eight of the serious hacks it detected came from commercial surveillance vendors (CSVs), firms that create hacking tools and claim to only do business with governments. So it's fair to include these with other government hacks. This includes companies like NSO Group and Cellebrite, with the former already subject to US sanctions from its work with adversarial nations.
In all, this adds up to 23 of the 34 attributed attacks coming from governments. There were also a few attacks that didn't technically originate from governments but still involved espionage activities, suggesting a connection to state actors. Beyond that, Google spotted five non-government financially motivated zero-day campaigns that did not appear to engage in spying.
Google's security researchers say they expect zero-day attacks to continue increasing over time. These stealthy vulnerabilities can be expensive to obtain or discover, but the lag time before anyone notices the threat can reward hackers with a wealth of information (or money). Google recommends enterprises continue scaling up efforts to detect and block malicious activities, while also designing systems with redundancy and stricter limits on access. As for the average user, well, cross your fingers.
Ryan Whitwam
Senior Technology Reporter
Ryan Whitwam
Senior Technology Reporter
Ryan Whitwam is a senior technology reporter at Ars Technica, covering the ways Google, AI, and mobile technology continue to change the world. Over his 20-year career, he's written for Android Police, ExtremeTech, Wirecutter, NY Times, and more. He has reviewed more phones than most people will ever own. You can follow him on Bluesky, where you will see photos of his dozens of mechanical keyboards.
9 Comments
Hoofprint Biome boosts cow nutrition while slashing methane burps do sex
Amazon Prime Day to return in July despite threat of tariffs do sex
Anthropic co-founder Jared Kaplan is coming to TechCrunch Sessions: AI do sex
The deadline to book your exhibit table for TechCrunch Sessions: AI is May 9 do sex
Spotify adds 5M premium users and hits record operating income do sex
Indian court orders blocking of Proton Mail do sex
