-
CENTRES
Progammes & Centres
Location
As India launched Operation Sindoor, cyberspace turned into a war theatre—with malware, disinformation, and digital offensives—marking a new frontier in the India–Pakistan rivalry.
Image Source: Getty
As hostilities between India and Pakistan intensified following the 22 April 2025 Pahalgam terrorist attack and the launch of Operation Sindoor on 7 May, cyberspace emerged as a critical battleground. Indian cyberspace and computer networks were targeted by multiple cyberattacks from Pakistani threat actors, alongside a surge in state-linked propaganda operations. This is the first instance of cyberspace becoming an active, coordinated theatre of conflict during an India-Pakistan crisis.
In the current crisis, cyber operations by Pakistani threat actors supplemented the digital extension of the military’s campaign against India, aiming to create a ‘fog of war’—albeit with limited tangible impact.
Cyber rivalry remained relatively limited during the 2019 Pulwama–Balakot crisis. Much of the pre-2019 malicious cyber activity emanating from Pakistan was largely confined to ‘tit for tat’ hacking and defacement of the Indian government’s websites. While such activity persists—as seen in recent weeks—Pakistan-linked threat actors have since become more sophisticated and targeted, a shift that gained momentum during the COVID-19 pandemic. This evolution has been significantly aided by China’s support.
In the current crisis, cyber operations by Pakistani threat actors supplemented the digital extension of the military’s campaign against India, aiming to create a ‘fog of war’—albeit with limited tangible impact. These malicious actions by Pakistan-linked threat actors can be catalogued into three categories: defacement of Indian websites, deployment of malware and Advanced Persistent Threats (APTs), and coordinated anti-India disinformation propaganda in cyberspace.
In the days preceding Operation Sindoor, Pakistan-based hackers resumed the usual tactic of website defacements—reportedly targeting Indian defence organisations, local government portals, and even a think tank, which were defaced and hacked. In one such case, the website of the Armoured Vehicle Nigam Ltd, a defence public sector unit, was defaced to display a Pakistani flag and the Pakistan Army’s Al Khalid tank. Some media outlets also reported data breaches, though these claims remain unsubstantiated.
Such defacement activities are largely symbolic—meant to demonstrate capability and attract attention rather than cause systemic damage. However, as tensions escalated, a much more serious threat unfolded in the form of malware and APTs.
In the aftermath of the Pahalgam attack, several government and law enforcement agencies warned of a surge in cyberattacks from Pakistan-linked threat actors against India’s critical infrastructure. Computer Emergency Response Team-India (CERT-In) cautioned financial institutions and critical sectors against cyber incidents. Likewise, Tamil Nadu Police and Himachal Police flagged the elevated risks of phishing attempts from Pakistan-linked threat actors.
The report also highlighted a rise in malicious cyber activities originating from Bangladesh, Indonesia, and Morocco, among others—possibly intended to obfuscate attribution and mask Pakistani involvement.
As India launched missile strikes on terrorist infrastructure in Pakistan and Pakistan-occupied Jammu and Kashmir (PoJK), cybersecurity experts observed a spike in Distributed Denial of Service (DDoS) attacks against India. According to an Indian cybersecurity company, Techniasanct, the DDoS attacks targeted major government organisations—including the Income Tax Department, Hindustan Aeronautics Limited, Indian Railways, and Bharat Sanchar Nigam Limited. A report by Maharashtra Cyber, titled ‘Road of Sindoor’, recorded over 1.5 million cyberattacks during the period—of which 150 successfully breached the Indian digital infrastructure. These included DDoS assaults, malware infiltrations, and even Global Positioning System (GPS) spoofing. The report also highlighted a rise in malicious cyber activities originating from Bangladesh, Indonesia, and Morocco, among others—possibly intended to obfuscate attribution and mask Pakistani involvement.
A prominent APT involved in these cyberattacks is the Pakistan-based threat actor APT-36—also known as Transparent Tribe and Earth Karkaddan. According to reports, the group deployed Crimson Remote Access Trojan (RAT) malware in the wake of the Pahalgam attack, targeting Indian government officials and defence personnel. APT-36 is known for persistently primarily attacking the Indian government, defence networks, and organisations for harvesting sensitive and classified information. The threat actor has previously used several tactics, including creating new domains to mimic the Kavach app (used for secure login on the Indian government’s email service).
Amid heightened tensions between the two countries, several Pakistan-based threat actors and social media handles also engaged in intense coordinated anti-India disinformation and propaganda campaigns to portray the Pahalgam attack as a ‘false flag’ operation, misrepresenting Operation Sindoor as targeting civilians. They did this to deceive and mislead Indian citizens and manipulate their thinking. Other narratives aimed to denigrate Indian military capabilities by questioning its ability to strike inside Pakistan and projecting considerable damage to Indian military facilities by Pakistani raids.
Much of this disinformation activity unfolded on X (formerly Twitter), now a central hub of anti-India propaganda. The Indian government reportedly requested the platform to withhold over 8,000 accounts.
On the cyber defence front, as Pakistan launched its Operation Bunyan Marsoos on 10 May 2025, targeting Indian cities and military facilities, Pakistani social media handles engaged in a tsunami of disinformation, claiming that Pakistani hackers had breached several Indian critical infrastructure sectors. One such unverified claim alleged that 70 percent of India’s power grid had been taken offline.
While China’s assistance in building Pakistani military capabilities is well-established and became evident during the current crisis, it also underscored Beijing’s hand in advancing Pakistani cyber capabilities and amplifying its propaganda networks. APT-36’s malicious campaigns against India have long been suspected of benefiting from Chinese support—particularly under the China-Pakistan Economic Corridor (CPEC), which includes an Information and Communications Technology (ICT)-enabled development component for Pakistan.
This growing cyber alignment between China and Pakistan deepens India’s fears of a potential ‘two-front war’—one fought simultaneously across physical and digital domains and coordinated between China and Pakistan.
The pattern is particularly pronounced when it comes to anti-India disinformation and propaganda. In the past, Pakistani social media handles had often echoed Chinese narratives on the India-China border standoff in the Himalayas. This time, Chinese state media outlets and their social media handles, in turn, disseminated and amplified Pakistan’s anti-India propaganda. Social media accounts of news services—such as Xinhua and China Global Television Network—repeatedly circulated Pakistan’s false claims, including Indian airstrikes targeting civilian locations and Pakistani hackers disrupting Indian power grids. Some Xinhua reports also circulated the false Pakistani claim of targeting and damaging the S-400 missile system at Punjab’s Adampur air base.
This growing cyber alignment between China and Pakistan deepens India’s fears of a potential ‘two-front war’—one fought simultaneously across physical and digital domains and coordinated between China and Pakistan.
Since 2022, conflicts in Ukraine and the Middle East have already shown how cyber operations increasingly complement conventional military campaigns. Consequently, the evolving role of cyberspace has become a significant feature of contemporary warfare. The current India-Pakistan conflict adds a new dimension—where cyberspace is no longer auxiliary, but a critical arena for both countries to assert their skills, flaunt their credentials in breaching each other’s computer networks, and engage in ‘narrative warfare’ aimed at not just their domestic audience but also the global community.
Sameer Patil is the Director of the Centre for Security, Strategy, and Technology at the Observer Research Foundation.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.
Dr Sameer Patil is Director, Centre for Security, Strategy and Technology at the Observer Research Foundation. His work focuses on the intersection of technology and national ...
Read More +
PREV
