According to Google's latest research, government hackers were responsible for a significant portion of attributed zero-day exploits used in real-world cyberattacks in 2024. Zero-day exploits refer to security vulnerabilities that are unknown to software developers before they are exploited by malicious actors. The report indicates that the total number of zero-day exploits decreased from 98 in 2023 to 75 in 2024. However, the proportion of zero-day exploits that Google could definitively attribute to specific actors remains concerning. At least 23 of the 75 zero-day exploits were linked to government-backed hackers. Of these, 10 were attributed to hackers working directly for governmental entities. Among these 10, five exploits originated from China, and another five from North Korea. Additionally, eight exploits were identified as being developed by spyware companies like NSO Group, which primarily sell to governments. Notably, Google included bugs recently exploited by Serbian authorities using Cellebrite phone-unlocking devices in this category. The remaining 11 attributed zero-days were likely used by cybercriminals, including ransomware operators targeting enterprise devices such as virtual private networks (VPNs) and routers. The report highlights that most of the 75 zero-day exploits in 2024 targeted consumer platforms and products, such as smartphones and web browsers. The rest of the exploits were directed at devices typically found in corporate networks. On a positive note, Google observes that software developers are making it increasingly difficult for attackers to find and exploit vulnerabilities. "We are seeing notable decreases in zero-day exploitation of some historically popular targets such as browsers and mobile operating systems," the report states. James Sadowski, a principal analyst at Google’s Threat Intelligence Group (GTIG), attributes this trend partly to advancements in security features like Lockdown Mode for iOS and macOS, which disable certain functionalities to harden devices against government hackers. Moreover, Memory Tagging Extension (MTE), a security feature in modern Google Pixel chipsets, has been effective in detecting and mitigating certain types of bugs, further enhancing device security. However, the surveillance industry continues to evolve, with new vendors emerging to fill the void left by those pushed out of business through law enforcement actions or public disclosures. Clément Lecigne, a security engineer at GTIG, notes that surveillance companies are investing more in operational security to avoid detection and media attention. Sadowski adds, "As long as government customers continue to request and pay for these services, the industry will continue to grow." Reports like this one from Google are crucial as they provide valuable insights into the tactics and trends of government hackers. While the data helps inform the industry and the public, the challenge of counting zero-days remains. By definition, many such vulnerabilities go undetected, and even those that are identified often lack proper attribution. Nonetheless, the findings underscore the ongoing need for robust cybersecurity measures and the importance of continuous vigilance in protecting user data and devices.