Security researchers regularly reveal software vulnerabilities that hackers can exploit, or even have exploited in the past. In some cases, they’re software issues that have not been used to hack or spy on users. In others, researchers identify malware and hacks that are actively used in the wild. By the time they release information about the attacks, the companies whose code had been attacked have already released updates to patch the problems. And security researchers usually point out when they believe the hacks are too sophisticated for a regular hacker to pull off.
Google runs an infamous security team at Project Zero that analyzes all sorts of operating systems and products for vulnerabilities. Since January, the team produced research that highlighted 11 zero-day exploits that were used to compromise Android, iPhone, and Windows. Back in January, Project Zero scientists pointed out the sophistication of the attacks that utilized previously unknown vulnerabilities in Chrome and Safari code. It turns out that the hackers behind the campaign that Google found were from a nation-state. They were part of a counterterrorism operation initiated by a Western ally, and the operation was ongoing when Project Zero started revealing the software issues.