What is a Targeted Attack?
A Primer for Activists, Journalists and Nonprofits
The following article was made using notes from our past digital rights / digital security workshops and meetups.
🔍 What is a Targeted Attack?
A targeted attack is a deliberate cyber operation focused on monitoring, surveilling, or collecting intelligence on a specific person, organization, network, or community, for information, control or intimidation.
These attacks are directed at specific individuals or organizations considered “high value” such as social movement leaders, investigative journalists, or nonprofits advancing specific causes. They are typically carried out by:
Governments seeking to silence dissent
Bad Actors attempting to steal data or monitor organizing efforts for specific agendas
Private contractors working on behalf of authoritarian regimes or bad actors
Attackers often customize their tactics to exploit a target’s specific vulnerabilities, using tools such as commercial spyware or social engineering campaigns — campaigns that rely on psychology, trust, and deception rather than technical hacking.
In recent years, targeted attacks against civil society groups have increased significantly. According to Cloudflare, for example, from 2024 to 2025 they witnessed a 241% rise in cyber threats against these groups.
⚔️ How Targeted Attacks Usually Work
Strategic and persistent targeted attacks often unfold in stages
Research and profiling – Attackers study their targets digital habits, networks, and vulnerabilities to identify the most effective entry points.
Initial contact and exploitation – Attackers launch tailored tactics—such as phishing emails, fake login pages, or malicious links—to exploit a target’s weaknesses or vulnerabilities.
Infiltration – Attackers gain access to devices or accounts, monitor activity, and extract sensitive information.
Persistence – Even after detection or removal, they often return using new tools or methods.
How Targeted Attacks Impact Civil Society
Targeted attacks have serious and lasting consequences for civil society, threatening both the health of a network and its ability to advance their important advocacy or journalism work. Civil-society groups often lack the resources or access to tools and knowledge that can protect them.
🧠 Psychological Impact: Silencing, Self-Censorship and Burnout
Activists, journalists and defenders who discover (or even suspect) that they are being watched often experience anxiety and self-censorship. People change how they behave and communicate when they feel monitored: journalists may avoid contacting sources, and defenders may stop expressing their opinions online. Over time, the anxiety of constant vigilance can lead to paranoia, trauma, and burnout.
🔐 Sensitive Information is Exposed, Leading to Increased Risks
Targeted attacks often steal or monitor data that is private for a reason — contact lists, emails, sensitive testimonies, internal reports, personal details of staff or community members, and even plans or strategies of upcoming actions. This exposure of sensitive information can put a group and its community at-risk of retaliation, punitive measures and, in some cases, imprisonment or violence.
🌍 Increased Financial Strain
Civil society organizations and networks are forced to divert their already limited financial resources and time into organizational security, digital security training, legal defense, and rebuilding operations.
🛡️ Erosion of Trust and Participation
The ultimate goal of an attacker is to suppress, intimidate, sabotage, and discredit civil society actors. When groups are infiltrated or surveilled, individuals lose faith in their ability to participate safely and/or publicly, thus weakening collective action and the ability to hold power to account. In some cases, the reach of attackers are extended beyond borders and into “safe havens.” For example, exiled journalists or activists living in democratic countries may be targeted by authoritarian governments while living abroad. Persistent surveillance also erodes trust within communities, as individuals begin to question who they can trust, leading to fractures in solidarity and the weakening of essential support networks.
⚠️ Increased Risks, Especially for The Marginalized
Risks and threats increase for civil society as a whole — but especially for marginalized groups and the individuals within them. This ranges from sources speaking to journalists and/or NGOs, to women human rights defenders and journalists.
For example, several high-profile women journalists and activists where targeted by authoritarian regimes in the Middle East using the Pegasus spyware. A key part of the harassment involved stealing and publicly sharing the women’s intimate photos to publicly shame, smear their reputations, and ultimately silence them. Women human rights defenders in Bahrain and Jordan faced similar targeting, leading many in a perpetual state of fear and isolation.
These abuses are not confined within national borders: Transnational repression of those in exile and diaspora communities impacts even those not directly targeted.
Digital transnational repression is contributing to shrinking of civic space worldwide, including in democratic societies. In several cases, digital technologies have been used to surveil and intimidate exiled dissidents and diaspora communities and, in some cases, plan kidnapping and assassination attempts, as seen in the case of journalist and activist Masih Alinejad
Did you know there’s a global network dedicated to protecting and supporting civil society - and to advancing digital rights and online safety for citizens worldwide? Check out this primer to understand what are digital rights and explore this overview of the different organizations across the digital rights ecosystem and the wide range of issues they address at the intersection of technology, human rights, and social justice.
Brief History of Targeted Attacks Against Civil Society
2008: The First Documented Case, GhostNet
Targeted attacks against civil society are not new. One of the first widely documented cases, known as GhostNet, was uncovered in 2008 and targeted the Dalai Lama’s office in India, along with other organizations supporting Tibetan causes.
2012: The Rise of Spyware and Sophisticated Surveillance Systems
In 2012, Citizen Lab uncovered the first documented case of commercial spyware deployed against civil society. Researchers discovered that emails sent to a Bahraini dissidents had code designed to install FinSpy (part of the FinFisher suite of surveillance tools sold by Gamma Group International) on the targets’ device without their knowledge. Later that year, Citizen Lab researchers also identified another commercial spyware tool targeting civil society, this time from the Hacking Team. The company’s “Remote Control System” hid itself inside devices and allowed for the spying of Skype chats, log keystrokes, and even capture images through the victim’s webcam.
2016: 0-Day Exploit Uncovered
In 2016, Citizen Lab researchers uncovered the first known use of zero-day exploits to remotely break into the an iPhone of a human rights defender as part of a targeted attack with the goal of installing spyware.
A zero-day exploit is a cyberattack that uses a previously unknown or unaddressed vulnerability in a software, hardware or firmware. The term “zero-day” refers that the developer has had “zero days” to fix the problem before its exploited, making them incredibly dangerous. These types of attacks can be used to plant malware, steal data, or cause damage to an individual, organization or system.
Ahmed Mansoor, a well-known human rights defender based in the United Arab Emirates (UAE), had been receiving suspicious SMS text messages containing links that claimed to offer information about detainees in UAE jails. Citizen Lab researchers discovered that the links triggered a chain of zero-day exploits designed to remotely jailbreak his IPhone and install sophisticated spyware.
The Citizen Lab investigation also revealed that the links were part of an exploit infrastructure connected to the NSO group, the company behind Pegasus - a.government-exclusive spyware product which has been repeatedly linked to surveillance abuses against civil society worldwide.
2019: Pegasus and Increased Use of 0 Day Exploits
In 2019, researchers uncovered that Pegasus exploited a critical zero-day vulnerability in WhatsApp, infecting phones by simply calling a target - even if the call went unanswered. In other words, Pegasus could compromise a device without any user intervention. Once installed, the spyware provided unrestricted access to a target’s phone data, including call logs, emails, photos, and real-time location.
WhatsApp and its parent company Meta filed a lawsuit against NSO group, alleging NSO used their servers to install Pegasus on about 1,400 devices between April and May 2019. Targets included journalists, activists, lawyers and other members of civil society across multiple countries.
2021: Global Exposure of Spyware
In 2021, The Pegasus Project—a groundbreaking collaboration by more than 80 journalists from 17 media outlets in 10 countries, coordinated by the nonprofit Forbidden Stories and Amnesty International’s Security Lab—revealed how the spyware Pegasus had been used to facilitate human-rights violations on a massive scale.
Amnesty’s forensic analysis of targeted devices confirmed that Pegasus was being deployed against activists, journalists, and lawyers across multiple continents. Targeted attacks had became so widespread, that in 2022 Amnesty International conducted a campaign demanding the stop of unlawful surveillance of human rights defenders
In 2021, the US Government placed NSO on the commerce department blacklist because the company had engaged in activities “that are contrary to the national security or foreign policy interest of the United States.”
2025 and Beyond
Targeted attacks against civil society are growing increasingly sophisticated, as governments and malicious actors continue to invest heavily in technology as a weapon of repression and surveillance against journalists, activists, and nonprofits.
At the same time, the global spyware industry is expanding rapidly, with new players developing advanced tools designed to evade detection and oversight.
Meanwhile, emerging technologies—such as AI-driven surveillance, deepfake manipulation, and biometric monitoring—are adding new layers of digital threats
For civil-society organizations, journalists, and human-rights defenders, the coming years will require stronger collaboration, technical resilience, and robust international regulation. As defenders evolve, so too will attackers—making digital security, capacity building, and collective defense more essential than ever to protect human rights and democracy in the digital age.
Check out this 2025 Tech Policy article, “Civil Society Is At Risk—and Tech Is Part Of The Problem,” written by Gina Romero, UN Special Rapporteur on the Rights to Freedom of Peaceful Assembly,
Resources to Get Started
It can feel overwhelming when we realize how vulnerable we or our communities can be to targeted attacks. However, education and starting to adapt a security mindset collectively helps tremendously. Here are a few links to get you started:
The Access Now Digital Security Helpline offers free digital security support, available 24/7 in multiple languages. They assist at-risk civil society groups and individuals around the world. You can contact them by emailing help@accessnow.org or through their contact form on their website. If you are at risk, they can help you improve your digital security practices, and if you are already under attack, they can provide rapid-response emergency assistance.
Keep up with research being done by both Amnesty’s Security Lab and Citizen Lab and who research how digital threats are evolving and showing up against civil society across the globe.
Subscribe to the TCU Digital Rights newsletter for weekly news, educational pieces, and more. This a great weekly read to understand both resources that exist, but also how surveillance and censorship is showing up civil society circles around the world.
The 2025 journalist’s digital security checklist: Whether you are a journalist or not, check out Freedom of the Press checklist (and explainers) on areas you should focus on in 2025 and beyond.
Security Resources for Human Rights Defenders: Check out a list of resources of services, educational materials, and more, that can help you get started on your security journey.
Consumer Reports security planner is a great tool to help citizens come up with a customized digital security plan. It may not reflect all the threats that activists, journalists and nonprofits face, but its a great start.
Are you Worried About the Organizational Security?
NGOISAC is a community of cyber security practitioners focused on supporting the security of US-based nonprofits. This community-of-practice provides a space to share threat intelligence, knowledge, questions and challenges. Any US-based NGO can become a member.
Ford Foundation’s Cybersecurity Assessment Tool (CAT) is designed to measure the maturity, resiliency, and strength of an organization’s cybersecurity efforts.
Other Resources
Phishing Quiz: Test your knowledge to see if you can spot a phishing email.
Digital Literacy: Help your colleagues or community members understand why digital literacy is important for safety and security is the first step.
Digital Rights Community Series: Check out the many organizations that are part of the digital rights community are working on different aspects of security and safety for civil society around the world.