This is linked to the commodification (not sure if that’s actually a word) of exploits. It seems that the west especially has outsourced to for-profit private companies…:
[…] While Metrick, Najafi and Jared listed Chinese, North Korean and Russian groups as examples of major cyber powers exploiting zero-days, there was no mention of any American involvement, though the US was said to have used nine zero-days as mentioned above.
This may be because the main agency in the US developing and using offensive cyber tools, the NSA, outsources a lot of its work and security firms are reluctant to talk about such exploits for fear of losing lucrative contracts.
The FireEye researchers said it appeared that access to zero-day capabilities was being more and more commodified and said there could be two main reasons for this.
“Private companies are likely creating and supplying a larger proportion of zero-days than they have in the past, resulting in a concentration of zero-day capabilities among highly resourced groups,” they wrote.
“Private companies may be increasingly providing offensive capabilities to groups with lower overall capability and/or groups with less concern for operational security, which makes it more likely that usage of zero-days will be observed.”