Cyber Attacks on NGOs: The Underreported Threat to Global Humanitarian Work

Posted: 18th July 2023
By: Levi Gundert
Cyber Attacks on NGOs: The Underreported Threat to Global Humanitarian Work

Cyber events can cause risk impacts that extend beyond business.


Last week The Record reported the Norwegian Refugee Council (NRC) was victimized by a cyber attack that targeted “an online database that stores the personal information of project participants.”

“The NRC, based in Oslo, is a humanitarian non-governmental organization that protects the rights of people affected by displacement.”

While reading this news, I was reminded of prior NRC targeting by TAG-41 / OilAlpha (a likely Yemeni pro-Houthi group) cyber campaign that the talented folks in Insikt Group reported on (in the Recorded Future platform). On December 19, 2022, Insikt Group analysts enumerated malicious Android applications (SpyNote: “receipt points.apk, SHA256: 7d21d3dce90408ca530c5e2364495d4f0932cdd23d812e4714e3665c06bfc560) and associated typosquat domains (gomnd2873yemnenrc.ddns[.]net) likely destined for NRC targeting among other organizations (e.g., Saudi Arabia’s Tourism and Development Fund).

As an independent humanitarian organization, the NRC has been performing life-saving work in Yemen. So why is this Yemen-based threat actor group targeting the NRC?


A few months back, I spoke to smart folks in Oslo who pointed out that the NRC may have better data on the Yemeni population than any government organization inside Yemen. At the risk of wild speculation, this OilAlpha group may want direct access to the NRC database for improved public services to win local hearts and minds as the civil war drags on. That scenario may be too optimistic, and the unauthorized access is for more nefarious purposes - to identify specific people for harm.

While OilAlpha could potentially manipulate or destroy data, leading to operational disruption, the more likely scenario is PII theft, which could lead to a legal or compliance failure. However, the most significant harm may be physical violence to the ultimate victims of such potential PII theft.


Public sector and non-governmental organizations may sustain cyber attacks that lead to additional risk impacts far more severe than lost revenue.

Recorded Future AI Insights

Generated based on 13 references | Top 2 Sources: Insikt Group & The Hacker News | May 17, 2022 - May 21, 2023

The threat actor, known as TAG-41 or OilAlpha, is a Yemen-based group that has been active since at least May 2022. They primarily target entities associated with the non-governmental, media, international humanitarian, and development sectors, particularly those with an interest in Yemen, security, humanitarian aid, and reconstruction matters. The threat actor uses malicious Android applications, such as SpyNote and SpyMax, to infect victims' devices and gain remote access.

The threat actor has targeted delegates attending Saudi government-led negotiations between Yemen's warring factions. The most prominent current events involving the threat actor include the ongoing distribution of spyware via social engineering schemes on WhatsApp, specifically targeting individuals working for humanitarian aid organizations, media, and nonprofits operating in Yemen's warzone. Additionally, a new variant of SpyNote called SpyNote.C has been developed to specifically target banking institutions, marking the first SpyNote variation with such capabilities.