What is a Targeted Attack?
A Primer for Activists, Journalists and Nonprofits
The following article was made using notes from our past digital rights / digital security workshops and meetups.
🔍 What is a Targeted Attack?
A targeted attack is a deliberate cyber operation focused on monitoring, surveilling, or collecting intelligence on a specific person, organization, network, or community, for information, control or intimidation.
In other words, the goal is to gather information about the target or disrupt their work, versus, for example, financial gain. These attacks are directed at specific individuals or organizations considered “high value” - such as social movement leaders, investigative journalists, or a specific nonprofit advancing a specific causes - and are typically carried out by:
Governments seeking to silence dissent
Private contractors or spyware vendors working on behalf of authoritarian regimes or bad actors
Hostile groups attempting to steal data or monitor organizing efforts for specific agendas
These attackers often customize their tactics and strategies to focus on exploiting their targe’t’s specific vulnerabilities, and can range from the use of spyware to social-engineering campaigns.
In recent years, targeted attacks against human rights, social justice, and civil society groups have increased significantly. According to Cloudflare, for example, from 2024 to 2025 they witnessed a rise of 241% in cyber threats against these groups.
⚔️ How Targeted Attacks Usually Work
Strategic and persistent, targeted attacks often unfold in stages
Research and profiling – Attackers study their targets’ digital habits, networks, and vulnerabilities to identify the most effective entry points.
Initial contact and Exploitation – Attackers launch tailored tactics—such as phishing emails, fake login pages, or malicious links—to exploit a target’s weaknesses or vulnerabilities.
Infiltration – Attackers gain access to devices or accounts, monitor activity, and extract sensitive information.
Persistence – Even after detection or removal, they often return using new tools or methods.
How Targeted Attacks Impact Civil Society
Targeted attacks have serious and lasting consequences for civil society , threatening both the health of a network and its ability to advance their important advocacy or journalism work. Usually, civil society are equipped with fewer resources or access to tools and knowledge that can protect them.
🧠 Psychological Impact: Silencing, Self-Censorship and Burnout
Activists, journalists and defenders who discover (or suspect) that they are being watched, often experience anxiety and self-censorship - people change how they behave and communicate when they feel they are being monitored. For example, journalists may avoid contacting sources, and activists may stop expressing their opinions on social media. In many cases, the anxiety of constant vigilance can lead to paranoia, trauma, and burnout.
🔐 Sensitive Information is Exposed, Leading to Increased Risks
Targeted attacks often steal or monitor data that an individual, organization, or network are keeping private for a reason. This includes data such as contact lists, emails, sensitive testimonies, reports, personal information of staff or community members, and even strategies of planned actions. This type of information can put a target or the target’s community at-risk for retaliation, punitive measures and in some cases, even imprisonment or violence.
🌍 Increased Financial Strain
Organizations and groups are forced to divert their already limited financial resources and time into areas like organizational security, digital security training, legal defense, and/or rebuilding operations.
🛡️ Erosion of Trust and Participation
The ultimate goal of an attacker is to suppress, intimidate, sabotage, and even discredit civil society actors. When groups are infiltrated or surveilled, individuals lose faith in their ability to participate safely and/or publicly, thus weakening collective action and, ultimately, the ability to hold power to account. It some cases, as documented by Citizen Lab, the reach of authoritarian actors (or other threat actors) are extended beyond borders and into “safe havens.” (For example, exiled journalists or activists living in democratic countries). Persistent surveillance also erodes trust within communities, as individuals begin to question who they can trust, leading to fractures in solidarity and the weakening of essential support networks.
Did you know there’s a global network dedicated to protecting and supporting civil society, including activists, journalists and human rights defenders from all countries? And they also work tirelessly to advance digital rights and online safety for citizens worldwide? Check out this primer to understand what are digital rights and check out this overview of the different organizations in the digital rights community and the various issues they work on, all of which sit at the intersection of technology, human rights, and social justice.
Brief History of Targeted Attacks Against Civil Society
2008: The First Documented Case, GhostNet
Targeted attacks against civil society are not new. One of the first widely documented cases, known as GhostNet, was uncovered in 2008 and targeted the Dalai Lama’s office in India, along with other organizations supporting Tibetan causes.
In the early years, these attacks were often delivered through malicious email attachments disguised as harmless documents. When recipients opened them, malware was silently installed, granting attackers access to sensitive files, email accounts, and internal communications.
2016: The Rise of Spyware and Sophisticated Surveillance Systems
As people began storing and sharing information through cloud-based tools, like Google Drive, attackers also quickly adapted. Thaey began sending phishing emails containing fake login pages hosted on deceptive domains, and recording the passwords users entered.
By 2016, researchers at Citizen Lab were documenting these shifting tactics in numerous communities - including the Tibetan community - noting that attackers were continuously adapting their methods to match the changing digital habits of both human rights defenders and journalists.
Around this time, researchers started uncovering the use of commercial spyware against civil society - sophisticated malware and exploits developed by private surveillance companies such as the NSO Group, best known for developing and selling Pegasus - one of the world’s most advance spyware tools at that time. Pegasus had been repeatedly linked to surveillance abuses against civil society, as well as political opponents in various countries. One of the first cases of Pegasus was documented by Citizen Lab in 2016 against an Emirati human rights defender.
2019: Smartphone Targeting and 0-Day Exploits
By 2019, targeted attack tactics shifted once, this time towards smartphones. Attackers started using expensive, zero-day exploits - vulnerabilities that were previously unknown to developers and required little or no user intervention from targets.
As an example, Pegasus exploited a vulnerability in WhatsApp, infecting phones by simply calling the target - even if the call went unanswered. Once installed, tehe spyware provided unrestricted access to target’s phone data, including call logs, emails, photos, and real-time location. As a result, WhatsApp and its parent company Meta filed a lawsuit against NSO group, alleging NSO used their servers to install Pegasus on about 1,400 devices between April and May 2019.
2020: Global Exposure of Spyware
In 2020, In 2020, The Pegasus Project—a groundbreaking collaboration by more than 80 journalists from 17 media outlets in 10 countries, coordinated by the nonprofit Forbidden Stories and Amnesty International’s Security Lab—revealed how Pegasus had been used to facilitate human-rights violations on a massive scale.
Amnesty’s forensic analysis of targeted devices confirmed that Pegasus was being deployed against activists, journalists, and lawyers across multiple continents. Targeted attacks against human rights defenders and journalists became so widespread, that in 2022 Amnesty International conducted a campaign demanding the stop of unlawful surveillance of human rights defenders
In 2021, the US Government had placed NSO on the commerce department blacklist because the company had engaged in activities “that are contrary to the national security or foreign policy interest of the United States.” That same year, legal action was taken against the NSO Group.
2025 and Beyond
Targeted attacks against civil society are growing increasingly sophisticated, as governments and malicious actors continue to invest heavily in technology as a weapon of repression and surveillance against journalists, activists, and nonprofits.
At the same time, the global spyware industry is expanding rapidly, with new players developing advanced tools designed to evade detection and oversight. Emerging technologies—such as AI-driven surveillance, deepfake manipulation, and biometric monitoring—are adding new layers of digital threat that blur the line between security and control.
For civil-society organizations, journalists, and human-rights defenders, the coming years will require stronger collaboration, technical resilience, and robust international regulation. As defenders evolve, so too will attackers—making digital security, capacity building, and collective defense more essential than ever to protect human rights and democracy in the digital age.
Resources to Get Started
It can feel overwhelming when we realize how vulnerable we or our communities can be to targeted attacks. However, education and starting to adapt a security mindset collectively helps tremendously. Here are a few links to get you started:
Keep up with research being done by both Amnesty’s Security Lab and Citizen Lab and who research how digital threats are evolving and showing up against civil society across the globe.
Subscribe to the TCU Digital Rights newsletter for weekly news, educational pieces, and more. This a great weekly read to understand both resources that exist, but also how surveillance and censorship is showing up civil society circles around the world.
The 2025 journalist’s digital security checklist: Whether you are a journalist or not, check out Freedom of the Press checklist (and explainers) on areas you should focus on in 2025 and beyond.
Security Resources for Human Rights Defenders: Check out a list of resources of services, educational materials, and more, that can help you get started on your security journey.
Consumer Reports security planner is a great tool to help citizens come up with a customized digital security plan. It may not reflect all the threats that activists, journalists and nonprofits face, but its a great start.
Are you Worried About the Organizational Security?
NGOISAC is a community of cyber security practitioners focused on supporting the security of US-based nonprofits. This community-of-practice provides a space to share threat intelligence, knowledge, questions and challenges. Any US-based NGO can become a member.
Ford Foundation’s Cybersecurity Assessment Tool (CAT) is designed to measure the maturity, resiliency, and strength of an organization’s cybersecurity efforts.
Other Resources
Phishing Quiz: Test your knowledge to see if you can spot a phishing email.
Digital Literacy: Help your colleagues or community members understand why digital literacy is important for safety and security is the first step.
Digital Rights Community Series: Check out the many organizations that are part of the digital rights community are working on different aspects of security and safety for civil society around the world.