Davey Winder
Senior Contributor
Veteran cybersecurity and tech analyst, journalist, hacker, author:

There were 97 zero-day vulnerabilities seen in the wild in the past year, Google’s Threat Analysis Group and Mandiant have confirmed. When it comes to government-backed exploitation of zero-day vulnerabilities, there is one clear winner, according to Google: The People’s Republic of China was responsible for exploiting 12 of them in 2023, up from seven in 2022.

The overall number is just short of the 2021 record, which stands at 106 exploited vulnerabilities. However, it still represents a 50% increase in the number of zero-day vulnerabilities compared to the previous year. Of these 97 zero-day vulnerabilities, 29 were originally discovered by Google’s security researchers.

Google’s Threat Analysis Group

Google has access to some of the most talented security researchers around in the shape of its dedicated Threat Analysis Group. These TAG hackers are tasked with countering government-backed hacking and attacks against Google and its users.

Much of this work is devoted to discovering zero-day attacks. A zero-day vulnerability can be defined as one that threat actors, be they cybercriminals or government-backed agents, have managed to discover before the vendor. I would say before anyone else, but the truth of the matter is that until a zero-day vulnerability is exploited and that exploit itself is identified, any number of bad actors could be on it. The important thing is the observed zero-day exploit, as this marks the point from which security team clocks start ticking in the hunt for a patch.

Google’s TAG And Mandiant Zero-Day Report For 2023

Google has now published its zero-day report for 2023, comprising data from both the TAG team and Mandiant, which Google acquired in September 2022, to help shine a light on the zero-day landscape. The highly topical news, given the allegations about the hacking of U.K. politicians and voters, could easily dominate the reporting as People’s Republic of China cyber-espionage groups are found to have been responsible for exploiting 12 zero-day vulnerabilities across 2023. However, 48 of the 58 zero-days for which researchers could accurately attribute motivation were deemed to be by espionage groups, and the remaining 10 were financially motivated, which does rather dampen the impact.

Other highlights of the report include:

• When it comes to in-the-wild exploits, more zero-days targeted Safari (11) than Chrome (eight).
• The number of in-the-wild zero-day exploits targeting iOS (eight) was close to Android (nine), with iOS up from four in 2022 and Android up from three.
• The majority (61%) of zero-days targeted end-user platforms and products such as operating systems, browsers and mobile devices, whereas the remainder targeted enterprise technology such as security products.
• That said, enterprise-specific zero-day exploitation was up 64% from the previous year.

However, Google’s researchers do say that the likes of Apple, Google and Microsoft “have made notable investments that are having a clear impact on the types and number of zero-days actors are able to exploit.”

The report’s authors also told me that the zero-day exploitation by PRC actors Google has tracked in 2023 mirrors a trend it has observed for most of the last decade. “PRC cyber espionage groups invest significant resources in zero-day vulnerability research and exploitation, including a recent focus on zero-days in security, networking, and virtualization software, and we anticipate these exploitation trends to continue,” Google said.

The 12 zero-days from PRC actors in 2023 amounted to double the combined total of Russian, Belarusian and North Korean zero-day exploitation. “Meanwhile, we observed 24 zero-day exploits developed by commercial surveillance vendors (CSVs) used by government customers, dwarfing even the PRC’s exploitation in 2023,” the report authors concluded.