Full Report
India and Pakistan may have reached a status quo of ceasefire on ground, air and sea for now, but the two neighbors are still going hard at each other in cyberspace. In the aftermath of the Pahalgam terror attack, Indian cybersecurity agencies detected a significant surge in coordinated cyber offensives targeting the country’s digital infrastructure. An intelligence report from a state agency attributed these attacks to Pakistan-aligned Advanced Persistent Threat (APT) groups that launched 1.5 million intrusion attempts against Indian websites and systems. These numbers coincide with the findings of private sector cybersecurity firm Cyble, which recorded more than 40 hacktivist groups actively targeting Indian organizations after the Pahalgam terror attack and India's retaliation through "Operation Sindoor." Also read: Post Pahalgam, Over 40 Hacktivist Groups Targeted India: High Noise, Low Impact Only 150 Cyberattacks Successful According to the Maharashtra Cyber Department, the state’s cybersecurity task force, only 150 of the cyberattacks were successful. While the overall damage was limited, the massive volume of attempted breaches reveals an alarming pattern of persistent, state-aligned digital aggression. “These were not random hits. The sheer coordination and volume point to a structured campaign, likely with state backing,” said a senior official, requesting anonymity. The threat actors reportedly used a mix of Distributed Denial of Service (DDoS) attacks, malware payloads, and website defacements to overwhelm systems and spread propaganda. Cyble's report corroborates these findings. It said that more than half of these attacks were DDoS aimed at overwhelming systems while the others were mainly website defacement, which is primarily used for propaganda. [caption id="attachment_102689" align="aligncenter" width="600"] Source: Cyble Research and Innovation Labs (CRIL)[/caption] Hybrid Warfare in the Digital Age The government's findings are detailed in a classified intelligence document titled “Road of Sindoor,” which outlines how these cyber operations are part of a broader hybrid warfare strategy aimed at destabilizing society and sowing discord through online misinformation. The attackers allegedly weaponized digital platforms to circulate fake news, provoke communal tension, and erode trust in national institutions. The authorities explicitly named seven APTs in the report, as per ET India: Pakistan Cyber Force, Team Insane Pakistan, Mysterious Bangladesh, Indo Hacks Sec, Cyber Group HOAX 1337, APT36 and National Cyber Crew. According to Cyble, the majority of these hacktivists like Pakistan Cyber Force and Mysterious Bangladesh operationalized DDoS attacks against government institutions but some like Team Insane Pakistan claimed data breaches related to government databases. These claims, however, could not be verified. [caption id="attachment_102694" align="aligncenter" width="686"] Team Insane Pakistan claims on Telegram linked to data breach of Indian government agencies. (Source: Cyble)[/caption] APT36 was another threat actor that was caught spoofing infrastructure of India's Ministry of Defence. Cybersecurity firm hunt.io, in the initial days after the Pahalgam terror attack, observed delivering cross-platform malware through a ClickFix-style infection chain. The phishing or spoofed website mimicked government press releases, staged payloads through a possibly compromised [.]in domain, and used visual deception to appear credible during execution. [caption id="attachment_102699" align="aligncenter" width="600"] Fake phishing page screenshot showing only March 2025 link. (Source: hunt.io) [/caption] The state cyber agency believes these APTs operate not only out of Pakistan but also leverage networks in Bangladesh, Indonesia, Morocco, and parts of the Middle East to obfuscate origins and bypass geolocation-based defenses. This distributed operational model makes attribution complex and response efforts more resource-intensive. Resilience Over Retaliation The fact that more than 99.99% of the attacks were repelled indicates India’s maturity when it comes to cybersecurity infrastructure. However, cybersecurity experts caution against complacency. The senior official noted, “APT groups play the long game. Even failed intrusions offer them valuable intelligence on network configurations, firewall behavior, and incident response times. Every attempt is a reconnaissance opportunity.” He added that small breaches can still lead to serious consequences. “Compromised websites, even if minor, can become launchpads for phishing campaigns or be used to push disinformation under the guise of legitimate Indian domains.” A Geneva Convention for Cyberspace? Unlike physical aggression, cyberattacks transcend borders with ease, making traditional diplomacy and deterrence frameworks less effective. Another example of this is the ongoing cyberwar between Russia and Ukraine that supports kinetic warfare. The anonymous nature of cyberspace often allows adversaries to operate in gray zones, using civilian infrastructure to conduct hostile operations. This environment complicates both domestic response and international collaboration. Owing to this, “the world needs a Geneva Convention for cyberspace,” the senior official said. Beware of Misinformation Apart from cyberattacks, the state agency also warned of psychological operations (PsyOps) from these hacktivist groups who have not only presented a false narrative or propaganda but also spread misinformation about several non-existent events like the downing of 70% of the electric grid across the nation through a cyberattack, disruption of satellite and telecommunication, and an alleged targeting of a missile storage facility in India. The extent of fake news, including articles, videos and images, has grown so much that the government's Press Information Bureau Fact Check account on platform X posted a cautionary note: "YOUR SOCIAL MEDIA FEEDS ARE UNDER ATTACK. Beware of suspicious videos related to #IndianArmedForces or the ongoing situation. These are key tools of malicious manipulation." [caption id="attachment_102703" align="aligncenter" width="400"] Tweet on X from PIB Fact Check (Source: X)[/caption] The state cyber agency has already removed more than 5,000 posts related to misinformation on the Indo-Pak conflict circulating on several social media platforms and has flagged another four dozen that are in the process of takedown, it added. Also read: At a Time of Indo-Pak Conflict, Why a Digital Blackout Matters—and How to Do It
Analysis Summary
Based on the provided article, the information is heavily focused on the general cyber conflict between India and Pakistan, geopolitical commentary on cyberspace, and the actions of **hacktivist groups** broadly, rather than detailing the specific TTPs or attribution of a single, distinct Advanced Persistent Threat (APT) actor.
The summary below focuses on the relevant actors mentioned in the context of the India-Pakistan cyber conflict.
# Threat Actor: India/Pakistan Hacktivist Groups (General Actors)
## Attribution & Identity
The article discusses the ongoing cyber conflict between actors associated with **India and Pakistan**. It explicitly mentions the activity involving **"over 40 Hacktivist Groups"** targeting India following the Pahalgam incident.
**Associated Groups:** None named specifically, but categorized generally as "Hacktivist Groups."
## Activity Summary
A significant spike in activity occurred targeting India ("Post Pahalgam"), involving over 40 hacktivist groups. This activity is characterized by "High Noise, Low Impact." A major component of this activity includes **Psychological Operations (PsyOps)**, which involve spreading state-sponsored or aligned misinformation and propaganda related to non-existent destructive cyber events concerning Indian infrastructure (e.g., downing 70% of the electric grid, missile storage targeting).
## Tactics, Techniques & Procedures
- Psychological Operations (PsyOps)
- Spreading misinformation (false narratives, fake videos/images) regarding major infrastructure incidents.
- **TTP Focus:** Information warfare and propaganda rather than sophisticated technical intrusion.
- The article notes the general difficulty in attributing cyberattacks due to the "anonymous nature of cyberspace" operating in "gray zones."
## Targeting
- **Sectors:** Primarily governmental/public awareness institutions targeted via misinformation campaigns; the implied physical infrastructure (Electric grid, missile storage) was the *subject* of the misinformation, not explicitly the *target* of a successful intrusion detailed here.
- **Geography:** India (as the target of the misinformation and primary focus of the hacktivist activity).
- **Victims:** The general Indian public and government communication channels (evidenced by the PIB Fact Check intervention).
## Tools & Infrastructure
- **Malware families used:** None specified.
- **Infrastructure (C2, domains, IPs):** Activity noted across "several social media platforms." The PIB Fact Check account on platform X was used to counter the narrative. (No specific hard infrastructure like C2 servers or IPs detailed for these hacktivist operations).
## Implications
The primary implication is the deliberate blurring of lines between kinetic conflict and technological conflict, utilizing cyberspace for **information warfare (PsyOps)** to influence public perception and complicate domestic response. The article suggests a need for international frameworks, akin to a "Geneva Convention for cyberspace," to address these gray zone operations.
## Mitigations
- Government agencies (e.g., Press Information Bureau Fact Check) actively monitoring and taking down malicious posts across social media platforms.
- Public awareness campaigns warning against suspicious videos and content related to military and ongoing situations.
- Recognizing that cyberattacks often operate anonymously, complicating traditional deterrence.