Civil society organizations (CSOs) include a broad range of nonprofits, non-governmental organizations (NGOs), charities, and other mission-driven groups working to advance social good. Many organizations identify with multiple terms, depending on their structure, funding, or legal status.

CSOs play a critical role in humanitarian aid, human rights, advocacy, education, healthcare, and other essential services. Because of their work, they are often targeted by cyber threats, making cybersecurity a key priority.

We collect and analyze data on cyberattacks, cyberoperations and disinformation campaigns against civil society organizations (CSOs) 7to better understand their scope, impact, and the responsible threat actors. We collect data directly from our partners (e.g., Bitsight, Cloudflare Email Security, Kaduu) that monitor a predefined set of CSO domains. In addition to this focused approach, we leverage open-source research and tools like Pulse (Dataminr) to track incidents against any CSO globally, even those not on our predefined list. The methodology explained in the FAQ is focused on the research we conduct concerning the Publicly Recorded Cyber Incidents.

• Malware – Malicious software. These are pieces of code designed to damage, destroy or subvert computer systems.
• Ransomware – type of a malware that is used to encrypt a target’s data and/or systems to extort a ransom payment in return for decryption/preventing sale or public release of stolen data.
• DDoS – type of cyberattack technique to flood a network, service or server with excessive traffic to cause it to cease functioning normally. It is said to be distributed when the source of the attack is composed of a multitude of devices or systems
• Phishing – type of cyberattack in which a threat actor impersonates a legitimate entity to attain sensitive information (e.g. usernames, passwords, or any other private information).
• Spoofing – type of cyberattack in which a threat actor impersonates a legitimate online source to deceive a target they are interacting with the legitimate entity, whereas the threat actor aims to obtain sensitive information, or conduct a subsequent cyberattack, through said interaction.
• Identity-based – type of cyberattack in which a threat actor impersonates an individual’s or entity’s digital identity to gain unauthorized access to online resources, systems, or data.
• Code injection – type of cyberattack in which a threat actor exploits a vulnerability in a system or application by injecting malicious code into it
• Supply chain – type of cyberattack that targets an entity’s supply chain to compromise the security of its systems, exploiting vulnerabilities in the relationships between the main entity and its supply chain partners.
• Social engineering – a type of cyberattack exploiting human psychology to obtain confidential information in order to access online resources and systems.
• DNS tunneling – type of cyberattack in which a threat actor exploits the DNS protocol, which is primarily used for translating human-readable domain names into IP addresses, to send and receive arbitrary data between users and servers.
• IoT-based – type of cyberattack which exploits vulnerabilities of Internet of Things devices and networks connected to them.
• Hack and leak – type of cyberattack which extracts confidential information, which is later used for political and/or ideological purposes.
• Defacement – The illicit or unauthorized modification of the appearance and content of a target’s websites and/or web applications.

While documenting cyberattacks, we also collect information on the vectors of the cyberattacks against CSOs, including, but not limited to:

• Compromised credentials
• Insider threats
• Misconfiguration
• Phishing
• Spear phishing
• Brute force
• Man-in-the-middle
• Third-party vulnerability
• Unknown

Our data collection excludes cases of data loss or physical breaches (e.g loss/theft of hardware), without a cyber element to maintain focused analysis on cyber related threats and activities.

All cyber incidents are first categorized according to the CIA triad.

• Confidentiality - preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
• Integrity - guarding against improper information modification or destruction and ensuring information non-repudiation and authenticity ensuring timely and reliable access to and use of information
• Availability - ensuring timely and reliable access to and use of information

Our data collection focuses on CSOs. We prioritize these organizations due to their often limited cybersecurity resources and their critical role in serving vulnerable communities. However, we may also document incidents targeting other entities that align with our mission to protect the nonprofit sector from cyber threats.

We classify CSOs based on the societal challenges they work to address, namely:

• Advocacy
• Business and professional association
• Development
• Education
• Energy
• Environment
• Finance
• Food
• Foundation/Association
• Healthcare
• Human Rights
• Humanitarian
• Information
• Justice
• Migration
• Other
• Peace
• Poverty
• Social Services
• Water
• Women
• Youth

We additionally classify targeted CSOs according to the Sustainable Development Goal they work towards. If the SDG is not explicitly mentioned on a target’s website, the analyst processing the data categorizes the CSO based on the SDG that best aligns with the organization’s official mission. If the CSO does not fit into any specific category, it is classified under “Other.”

• No poverty
• Zero hunger
• Good health and well-being
• Quality education
• Gender equality
• Clean water and sanitation
• Affordable and clean energy
• Decent work and economic growth
• Industry, innovation and infrastructure
• Reduced inequalities
• Sustainable cities and communities
• Responsible consumption and production
• Climate action
• Life below water
• Life on land
• Peace, justice and strong institutions
• Partnership for the goals

Our data collection spans incidents globally. We collect data directly from our partners (e.g., Bitsight, Cloudflare Email Security, Kaduu) that monitor a predefined set of CSO domains. In addition to this focused approach, we leverage open-source research and tools like Pulse (Dataminr) to track incidents against any CSO globally, even those not on our predefined list.

Our data collection utilizes AI-powered tools at various stages. These tools are used to improve our efficiency in sifting through vast amounts of data and identifying points of interest from both structured and unstructured sources. AI tools are also used to track real-time alerts of cyber incidents and summarize information from open source research.

Following the collection of ‘raw’ data from sources, we use vector AI capabilities to reduce and correct duplication of incidents. This improves the speed and accuracy of the verification process, though all AI-generated insights are subject to analyst oversight.

Data Enrichment with LLMs

After initial validation, we use LLMs to enrich our dataset. LLMs are used to provide additional insights from both structured and unstructured data sources, summarizing cyber incidents and identifying potential connections. While LLMs assist in providing a broader context, all enriched data is manually reviewed to ensure consistency with verified facts.

We have been documenting cyber incidents targeting CSOs since November, 2018. The latest updates to the dataset can be viewed on the project’s dashboard under “Attack Details.”

How Is Harm Caused by Cyber Incidents Documented?

We aim to measure the harm and impact of cyberattacks on CSOs by tracking both qualitative and quantitative data, where available. The categories of harm we document include:

• Individual: Harms experienced specifically by one or many people on an individual level.
• Organizational: Harms to legally recognized entities with a distinct identity separate from their individual members. This includes critical infrastructure organizations, businesses, institutions, government agencies, non-profit organizations, and other legally recognized entities.
• Societal: Harms to informal or non-institutionalised groups bound by shared characteristics, culture or geography, such as ethnic, religious or local communities, that are distinct from harms to legally recognised entities and the international community.
• International Peace and Security: Harms that affect international peace, security and stability (which encompasses political, economical, social, environmental and military aspects)

Our project does not directly attribute incidents to specific actors, but documents attribution efforts from trusted sources. Attribution is categorized into four types:

• Technical Attribution: Based on technical analysis (e.g., forensic evidence, malware signature, or IP traces) that links an incident to specific actors or tools.
• Political Attribution: Conducted by state authorities or governments, identifying a nation-state or criminal group as responsible for the attack.
• Legal Attribution: Conducted through courts or legal processes, often leading to sanctions or prosecutions.
• Self-Attribution: In some cases, threat actors claim responsibility for attacks through public channels, such as by releasing stolen data on dark web forums. We differentiate between substantiated and unsubstantiated self-attribution, including the former when corroborating evidence exists.

We collect data from the following sources:

• Open Source Research: Our team gathers data from media reports, government advisories, CERT reports, cybersecurity blogs, and social media posts. All incidents are reviewed by at least two analysts and cross-checked with multiple sources where possible.
• Partner Organizations: Data collected from a trusted network of partner organizations (e.g., Cloudflare, Bitsight, Kaduu): These tools provide structured, domain-specific data on cyber incidents.
• Pulse (Dataminr): This AI enhanced alert service provides real-time notifications of potential cyberattacks, which are then validated by our analysts.

To maintain data accuracy, we classify incidents based on the reliability of the source. The classification levels are as follows:

• Confirmed: Incidents verified through official channels (e.g., government reports, press releases by the targeted CSO, or validated by threat intelligence platforms).
• Probable: Incidents supported by credible media reports or independent analysis, but lacking official confirmation.
• Possible: Incidents reported by less reliable sources, such as unverified social media posts or self-attributed attacks without supporting evidence.
• Data from partner APIs (e.g., Bitsight, Cloudflare Email Security, Kaduu) is categorized as possible due to the potential lack of public confirmation.

Part of our visualization and analysis phase uses AI models to assist in mapping relationships between cyber incidents, threat actors, and affected CSOs. These visualizations can assist our analysts in identifying connections between incidents, which help guide further investigation. While AI-generated visualizations provide insights, our analysts remain central in interpreting and confirming the relevance of these connections.

There are several limitations to the methodology stemming primarily from the reliance on open-source research and the evolving nature of the dataset.

Firstly, as the platform is continuously updated, the data presented does not provide a static or comprehensive overview of the global cyber threat landscape for CSOs. Instead, it reflects trends based on the incidents that have been identified and processed at any given time. This dynamic nature means that gaps in reporting, particularly due to the lag between incident occurrence and data availability, may result in an incomplete or skewed representation of cyber threats faced by organizations.

Secondly, the project’s dependence on open-source research introduces several challenges. Open-source intelligence (OSINT) is inherently constrained by the availability, accessibility, and reliability of publicly disclosed information. Many cyber incidents remain unreported, particularly when organizations lack the capacity or incentive to disclose attacks. Furthermore, analysts may encounter difficulties in identifying and integrating emerging data sources, leading to potential gaps in the dataset. The complexity of cyberattack reporting, which varies in terminology, technical detail, and consistency across sources, further complicates data collection and standardization. Additionally, the absence of key variables—such as detailed attack vectors, motivations, and impact assessments—limits the depth of analysis that can be conducted.

It must be noted that the Institute does not conduct independent attribution efforts but instead compiles attributions made by external entities, such as cybersecurity firms, government agencies, and independent researchers. While this approach allows for the aggregation of expert assessments, it also introduces potential biases and inconsistencies, as attribution methodologies vary and may be influenced by differing geopolitical, economic, or institutional perspectives. The reliance on external sources also means that incorrect or disputed attributions could be included in the dataset, impacting the accuracy of findings.

Lastly, the quality of the dataset is contingent on the verification process, which is subject to both time constraints and resource limitations. The need to cross-reference multiple sources to validate incidents and their details may result in delays in data inclusion. Furthermore, as cyber threats evolve rapidly, there is a risk that the dataset does not capture the latest attack techniques or emerging threat actors in real-time.

Despite these limitations, the methodology remains a valuable tool for identifying trends and raising awareness of cyber threats against CSOs. However, users of the dataset should interpret the findings with an understanding of these constraints and consider them alongside other sources of cybersecurity intelligence.