Hinweis zur Bedrohung

An Update on the India-Pakistan Cyber Conflict: [Threat Note]

Orlaith Traynor

3 min lesen - September 4, 2025

What happened during the standoff?

The military and political escalation between India and Pakistan from April 22nd to May 12th, 2025, was mirrored by a significant surge in cyberattacks, making the digital sphere a direct extension of the geopolitical conflict. The conflict, triggered by a terrorist attack in Pahalgam, Indian-administered Kashmir, saw cyber activities that were timed to political and military developments.

During this period, over 480 attacks targeted both nations combined. The volume of attacks was heavily imbalanced, with India facing over 400 incidents compared to Pakistan’s 80. This disparity is attributed to India’s larger digital attack surface and its geopolitical alignments, which make it a target for a broader network of hacktivists. The overall volume of malicious cyber activity nearly doubled compared to the same period in 2024.

A key observation was the shift in attacker motivations. The primary attack vectors were Distributed Denial-of-Service (DDoS) and website defacements, which are characterized by high visibility and disruption using minimal resources. These methods replaced financially motivated attacks like data breaches and ransomware, indicating a clear pivot toward ideological and political objectives during the period of high tension.

Who was targeted?

Reflecting the political nature of the conflict, the government and public sector emerged as the most heavily targeted industries in both countries, accounting for 39% of attacks on Indian entities and over 50% on Pakistani ones. The education sector was the second most impacted, with universities and medical institutions facing significant disruption.

This focus on targets of national and symbolic significance, rather than e-commerce or other commercial entities, further underscores the shift from financial gain to political drivers.

Screenshot of Sylhet Gang-SG announcing the attack on the Indian company, HPL.

A war on multiple fronts: APTs, hacktivists, and perception

The cyber conflict was waged by a diverse range of threat actors, from sophisticated state-linked groups to ideologically driven hacktivists.

Fortgeschrittene anhaltende Bedrohungen (APTs) played a significant role, with state-backed groups from both nations launching espionage campaigns.

Pakistan-linked APTs: Groups like APT36 (Transparent Tribe) und SideCopy launched coordinated phishing and malware attacks against Indian government and military infrastructure in retaliation for military operations. They used malware such as Crimson RAT embedded in official-looking documents to compromise systems.
India-linked APTs: The SideWinder group was observed targeting Pakistani defense institutions with espionage campaigns, while Bitter APT (TA397) claimed attacks against Pakistan’s telecommunications sector.

Hacktivist activity also intensified dramatically on both sides. Campaigns were promoted under hashtags like #OpIndia and #OpPahalgam, focusing on DDoS attacks and website defacements to gain visibility and control the narrative.

Pro-Pakistan Groups: Actors like Team Insane Pakistan claimed to have compromised the High Court of Andhra Pradesh, allegedly leaking judicial records.
Pro-India Groups: The Indian Cyber Force claimed responsibility for breaching a 150 GB database from Pakistan’s Federal Board of Revenue, allegedly containing the personal and tax information of citizens.

We have breached the Pakistan IRIS portal of the Federal Board of Revenue (https://t.co/9nR5h0gSFT) 150 GB+ exfiltrated. ⚡

Exposes:
• CNIC (full national IDs)
• Full Names
• Phone Numbers
• Residential Addresses
• Tax Records (every year, every filing)

Download the full… pic.twitter.com/MmzhEy9riu
— Indian Cyber Force (@CyberForceX) May 9, 2025

Indian Cyber Force claiming responsibility for breaches against Pakistani government and private sector databases.

Alongside these direct cyberattacks, the conflict saw a surge in perception warfare. Social media platforms were flooded with disinformation and misinformation, including a new wave of AI-driven deepfake content designed to influence public opinion.

Many of the spectacular breach claims made by hacktivist groups were later found to be exaggerated or repackaged versions of old leaks. This flood of false claims serves not only to shape public perception but also as a deliberate strategy to induce alert fatigue within security operation centers, making it harder to identify legitimate threats.

What happens now?

Following the ceasefire on May 10th, the volume of cyberattacks gradually decreased and reverted to pre-conflict trends. In the subsequent two months, attacks against Pakistan dropped by 80% and against India by 60%. Attack methods also shifted back, with data breaches once again becoming more prominent than DDoS and defacement attacks, suggesting a return to financially driven motives as geopolitical tensions eased.

However, the events of April and May 2025 were not an anomaly. They are part of a recurring pattern where cyber operations between India and Pakistan surge during or immediately following military or political flashpoints. This conflict demonstrated that cyber operations, hacktivism, and digital disinformation have become critical components of conventional military capabilities in the region.

Einpacken

Th India-Pakistan standoff is a clear example of how geopolitical conflict cyber warfare is a confirmed and risky pattern. The period saw a surge in politically motivated attacks, with state-sponsored APTs and hacktivists targeting critical infrastructure and government entities to amplify their objectives. While attack volumes have since normalized, the pattern of cyber activity being tied to military flashpoints is now an integral and predictable part of the South Asian geopolitical dynamic.

If you are not a client but wish to have a complete picture of this threat landscape, you can obtain access to the full report by getting in touch with our team.

Kontakt