Full Report
Governments like China and North Korea, along with spyware makers, used the most recorded zero-days in 2024.
Analysis Summary
# Threat Actor: State-Sponsored/Government Hackers (General Focus)
## Attribution & Identity
The analysis focuses on **government-backed hackers** generally, who are leading the attribution of zero-day exploitation in the wild. Specific attribution is made to:
* **China:** Linked to five attributed zero-day exploits in 2024.
* **North Korea:** Linked to five attributed zero-day exploits in 2024.
* **Serbian Authorities:** Implicated through the use of tools from surveillance enablers (like Cellebrite).
Known associated groups include **spyware makers and surveillance enablers** (e.g., NSO Group, whose exploited bugs are counted in this tally).
## Activity Summary
The primary activity detailed is the **exploitation of zero-day vulnerabilities** in real-world cyberattacks during 2024.
* The total number of observed zero-day exploits dropped from 98 in 2023 to 75 in 2024.
* Of the zero-days that Google could attribute in 2024, at least **23 exploits** were linked to government-backed hackers.
* This includes 10 zero-days directly attributed to governments (5 China, 5 North Korea) and 8 developed by spyware companies used by governments.
## Tactics, Techniques & Procedures
The core TTP discussed is:
* **Exploitation of Zero-Day Vulnerabilities:** Abusing security flaws immediately after they are discovered, before software makers can issue patches.
* **Use of Commercial Spyware/Surveillance Tools:** Implied use of tools developed by third parties (like those associated with bugs exploited by Serbian authorities using Cellebrite devices).
*Note: Specific MITRE ATT&CK IDs were not provided in the source text.*
## Targeting
* **Sectors:** Not explicitly detailed, but the context of government-level zero-day use often implies targeting related to espionage, critical infrastructure, or politically sensitive entities.
* **Geography:** China and North Korea are identified as actors, but specific victim geography is not listed. Serbian authorities' activities are also noted.
* **Victims:** No specific victim organizations are named in this summary, only the actor nations and the entities utilizing surveillance tool capabilities.
## Tools & Infrastructure
* **Malware Families Used:** Not explicitly named, but the exploitation is tied to **zero-day vulnerabilities**.
* **Infrastructure (C2, domains, IPs):** None mentioned.
* **Associated Tools/Vendors:** **Cellebrite** phone-unlocking devices were mentioned in relation to exploitation by Serbian authorities. Spyware developed by commercial entities is noted as enabling actor TTPs.
## Implications
Government entities are the primary driver behind the weaponization and use of previously unknown, high-impact zero-day vulnerabilities in live operations. The reliance on commercial spyware vendors remains a significant vector for state-level activities.
## Mitigations
* For organizations utilizing devices or services potentially targeted by these actors, immediate patching is critical once vulnerabilities are disclosed, though zero-days bypass this initial defense.
* Risk assessment regarding supply chain security involving commercial surveillance technology providers is necessary, especially given documented instances of these tools being used for cyberattacks.