Threat Management, Breach, Vulnerability Management

Threat actors linked to nation-states exploited zero-days the most in 2022

A man waves a Chinese flag

Threat groups with ties to nation-states were the driving force behind exploiting zero-day vulnerabilities last year, according to a new report by cybersecurity firm Mandiant.

Cyberespionage groups linked to China were responsible for over 50% of the exploits in 2022 that the firm said it could confidently track to 13 advanced persistent threat groups (APTs), followed by Russia and North Korea. Overall, groups with links to nation-states accounted for 80% of the zero-day exploits.

Groups with ties to China led the pack with seven known vulnerabilities exploited last year, with Russia and North Korea tied with two each. Four zero-days were tied to financially motivated actors, with 75% likely performed by ransomware groups.

The total number of 55 zero-day vulnerabilities exploited last year is down 26 from the record 81 Mandiant tracked in 2021, but that figure is still triple the 2020 total.

Mandiant considers a zero-day to be a vulnerability if it was exploited in the wild before a patch was made publicly available. The report examined zero-day events identified by Mandiant, combined with reporting from open sources.

Mandiant researchers highlighted three Chinese-linked APT campaigns exploiting the Follina vulnerability (CVE-2022-30190), as well as FortiOS vulnerabilities (CVE-2022-42475 and CVE-2022-41328) for their focus on enterprise networking and security devices.

Because of their ubiquity, zero-days in Microsoft, Google and Apple products were used the most to gain elevated privileges or perform remote code executions (RCEs). Microsoft vulnerabilities led the pack with 18, followed by Google (10 vulnerabilities) and Apple (9 vulnerabilities).

Operating systems (OS) were the most exploited products at 19; followed by browsers (11); security, IT and network management products (10); and mobile OS (6).

Devices running Windows were by far the most exploited OS with 15 vulnerabilities, followed by Apple’s macOS with four. Google’s Chrome browser was the most exploited with nine of the 11 browser vulnerabilities. 

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.