Not just witnesses, but stakeholders can also be targeted. Let's say the top 20 witnesses AND the top 20 stakeholders are targeted, at the same time, in a sophisticated coordinated action. The rest of the network has to be able to keep the network running.
In a similar vein, datacenters or hosting companies can be targeted in an attempt to shut down or take over many nodes at once. This could end up including top 20 nodes as well as many other nodes. Again, the rest of the network has to be able to keep the network running.
A very sophisticated actor would study the system very well before making a move. They would identify the weakest spots. So they might go for all three vectors described above (witnesses, stakeholders, datacenters), at the same time. And in addition, they might launch a campaign to convince the public that the network is posing a great danger for reasons xyz, and present evidence and negative things that have happened because of the network's activities (some of which may be genuine challenges that the network is working on overcoming - not unsolvable problems). (Capabilities like censorship resistance and immutable content pose challenges and have to be handled carefully and socially responsibly, for sure.)
There are such sophisticated actors that have huge technical capacity and IT personnel at their disposal. See for example this hack on Google: Operation Aurora.