Google says 2021 was a record year for zero-day hacks

A white padlock on a dark digital background.
(Image credit: Shutterstock.com)

Google's in-house security team has warned that zero-day security threats are becoming a bigger risk than ever before.

In its annual round-up of the zero-day threat landscape, the Google Project Zero team noted that 58 distinct threats were identified in 2021, the biggest number seen since it began investigating back in 2014.

This is up from the 25 exploits discovered in 2020, and nearly double the amount seen for most years covered by the investigation.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022

<a href="https://polls.futureplc.com/poll/2022-cybersecurity-survey" data-link-merchant="polls.futureplc.com"" target="_blank">Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the <a href="https://polls.futureplc.com/poll/2022-cybersecurity-survey" data-link-merchant="polls.futureplc.com"" data-link-merchant="polls.futureplc.com"" target="_blank">end of this survey to get the bookazine, worth $10.99/£10.99.

Zero-day threat

Somewhat dishearteningly, the team noted that methodology used by zero-day attackers doesn't appear to have changed or evolved much from previous years, with the same bug patterns and exploitation techniques still proving popular.

“When we look over these 58 0-days used in 2021, what we see instead are 0-days that are similar to previous & publicly known vulnerabilities,” wrote Google. “We’d expect that to be successful, attackers would have to find new bug classes of vulnerabilities in new attack surfaces using never before seen exploitation methods. In general, that wasn't what the data showed us this year.” 

However, Google does also note that the increase in reported zero-days may actually be a good thing, as it means more threats are being reported and publicly disclosed.

"We perform and share this analysis in order to make 0-day hard," Maddie Stone from the Project Zero team wrote in a blog post announcing the findings. "We want it to be more costly, more resource intensive, and overall more difficult for attackers to use 0-day capabilities."

"2021 highlighted just how important it is to stay relentless in our pursuit to make it harder for attackers to exploit users with 0-days. We heard over and over and over about how governments were targeting journalists, minoritized populations, politicians, human rights defenders, and even security researchers around the world."

"The decisions we make in the security and tech communities can have real impacts on society and our fellow humans’ lives."

Overall, Google says the industry does appear to be improving when it comes to the "detection and disclosure" of zero-day exploits, but it does warn that these are still "baby steps".

The company is calling for a number of steps to boost progress, including establishing an industry standard behavior for all vendors to publicly disclose when there is evidence to suggest that a vulnerability in their product is being exploited. 

Google also says that vendors and security researchers alike should do better at sharing exploit samples or techniques, and more effort is also needed on reducing memory corruption vulnerabilities or rendering them unexploitable. 

Mike Moore
Deputy Editor, TechRadar Pro

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.