Pakistan’s Dominance in Cyber Space

The Kashmir conflict has been a historical legacy since 1947, when India and Pakistan were divided, and it still leads to tensions in the region.  Following the recent terrorist attack in Pahalgam, India accused Pakistan of aiding cross-border terrorism, a charge Pakistan denied. This accusation promptly led to a number of combative actions:  India imposed border control and diplomatic expulsion on April 23, 2025; Pakistan responded by closing airspace and suspending trade on April 24; the two sides engaged in several rounds of military combat along the Line of Control between April 25 and 27, which eventually turned into a heavy-weapons exchange; both sides continued to impose blockade measures from May 2 to 5. India launched missiles into Pakistan, targeting civilians, as part of a massive military operation known as “Operation Sindoor,” on May 7.  Following that, the war between India and Pakistan lasted until May 10, 2025. In its counteroffensive against the Indian Air Force, the Pakistani Air Force shot down five Indian fighter jets, and there was a chance that the situation in the region would deteriorate.

In recent years, cyberattacks during times of conflict and even in peace have become the new standard.  Along with the land, air, sea, and space domains, cyberspace is regarded as one of the five primary unique contexts of warfare.  [1].

Pakistan began the “Solid/Iron Wall” military operation and a fresh series of attacks on Indian military installations from May 8 to May 10.

Cyberspace becomes a vital battlefield.  Pakistani cyber organizations launched several cyberattacks against Indian computer networks and cyberspace.  This is the first time that during an India-Pakistan crisis, the online has turned into an active, orchestrated theater of conflict.

The Pakistani military declared that it had used cyberattacks that disabled 70% of India’s electrical infrastructure, resulting in power outages in several cities and seriously impairing the ability of both military and civilian installations to function.

Cyberattacks against India increased significantly throughout the course of the war.  According to the real-time threat attack maps made available by companies like Kaspersky [2] and Radware [3], India is regularly ranked in the top five nations targeted both during and after a conflict.  Ransomware assaults, Distributed Denial of Service (DDoS) attacks, website defacements, and malware infections have increased among Indian businesses and Micro, Small, and Medium-Sized Enterprises (MSMEs), according to the Indian Computer Emergency Response Team (CERT-In) [4].

The report claims that government organizations were the target of more than 75% of the attempted DDoS attacks.  The industries most commonly targeted were manufacturing (6.5%), telecom (6.5%), finance (7.4%), and education (8.3%) [5].

Following the Pahalgam attack, the Maharashtra police recorded over 1million attacks, indicating a notable increase in cyberthreats associated with the ibid-geopolitical tensions [6].  Pakistani cyber groups targeted more than five hundred Indian government and business sector organizations.  In order to disrupt and reduce operating efficiency, Pakistani cyber organizations used a variety of attacks to target vital infrastructures [7].

The monitoring data of the NSFOCUS Fuying Laboratory’s Global Threat Hunting System indicates that data breaches have been reported in educational institutions (ncccnews.com), critical infrastructure (powergrid.in), and important government platforms (uidai.gov.in, pib.gov.in), including those of the Indian Election Commission, the Ministries of External Affairs and Defense (mod.gov.in).  Digital public services include UMANG, the Indian President and Prime Minister’s main administrative websites (pmindia.gov.in, jkgad.nic.in, presidentofindia.gov.in, ns2.nic.in), telecommunications services (bsnl.co.in), media services (tv9hindi.com), digital police, and the National Informatics Center [8].

The cyberattack may have exposed private data associated with Indian defense officers, including login credentials and personal information, according to a News18 article that cited sources.

According to the news agency, Pakistani cyber organizations also attempted to vandalize the website of Armoured Vehicle Nigam Limited, a Ministry of Defense-affiliated Public Sector Undertaking.

The Armoured Vehicle Nigam Limited website was pulled down for a comprehensive assessment to determine the extent of any possible harm, according to an NDTV story that cited sources [9].

On April 10, 2025, the botnet family Mirai launched a five-minute DDoS attack on the TV9 Hindi online news platform using the ACK_FLOOD attack mechanism, according to NSFOCUS.

Two consecutive DDoS attacks were launched against BSNL (www.bsnl.co.in), a state-owned telecom provider connected to the Indian government’s Ministry of Telecommunications, on April 25 and April 26, 2025.  For longer than half an hour, the attackers employed the NetBIOS reflection and NTP reflection amplification attack approaches, respectively.  Until May 7th, the operator’s official website was unavailable.

A DDoS attack against Nccc News’ official website (ncccnews.com) was discovered on April 26, 2025.  The attack lasted for 22 minutes and 13 seconds and made use of the CLDAP reflection attack technique.

On 26 April 2025 , a DDoS attack using NTP reflection amplification techniques was launched against the official website of the Unique Identification Authority of India (UIDAI), uidai.gov.in.  The duration of the attack was 31 minutes and 19 seconds.

On May 2, 2025, POWERGRID’s official website (www.powergrid.in) was hit by to a 31-minute, 26-second DDoS attack using NTP reflection amplification technique. [8]

The Indian Presidential Office website (presidentofindia.gov.in) was the target of two rounds of DDoS attacks on May 7-8, 2025.  According to monitoring data, attackers initiate attacks by using DNS reflection amplification technique.  Attacks started on May 7 and lasted for 2 hours, 16 minutes, and 11 seconds. The second set of attacks, which started on May 8 and lasted for 19 hours, 46 minutes, and 29 seconds, was significantly worse.

Two rounds of DDoS attacks were launched against the Indian National Informatics Center’s domain name resolution service (ns2.nic.in) in quick succession between May 7 and May 8, 2025.  According to monitoring data, DNS reflection amplification technique was utilized to initiate this attack.  Beginning on May 7 and lasting 19 minutes and 03 seconds, the first wave of attacks was followed by an even worse round that started on May 8 and lasted 1 hour, 05 minutes, and 11 seconds.

On May 9, 2025, it emerged that the Mirai botnet was targeting the official website of the Indian state of Jammu and Kashmir (www.jkgad.nic.in).  The ACK Flood attack technique was employed by the attacker.

On May 10, 2025, a DDoS attack that lasted three hours, 56 minutes, and 57 seconds was launched on the Ministry of Defense’s (MoD) official website, mod.gov.in.  NTP reflection amplification technique was employed in the attack, according to monitoring data.

A DDoS attack lasting one hour, two minutes, and thirty-seven seconds was launched against the Press Information Bureau (PIB) of India’s official website (pib.gov.in) on May 10, 2025.  DNS reflection amplification technique was utilized in the attack.

A DDoS attack that lasted one hour, fifty-one minutes, and thirteen seconds was launched against the Indian Prime Minister’s Office website (pmindia.gov.in) on May 10, 2025.  DNS reflection amplification technique  was utilized in the attack, according to monitoring data.  [10]

In the wake of the Pahalgam terror attack, officials made the announcement on Tuesday, May 13, 2025, Indian cyber agencies have identified seven Advanced Persistent Threat (APT) groups that have launched over 1.5 million cyberattacks targeting critical infrastructure websites nationwide, according to the New Indian Express newspaper [11].

They stated that via malware nicknamed “Dance Of Hillary” and “Calls From Military,” a few Pakistani Intelligence Operatives (PIOs) were discovered to be targeting mobile phones used by journalists and defense personnel in India [19].

Several government authorities observed these acts and issued advisories.  India has taken preventive measures to safeguard its sensitive assets and vital infrastructure, such as transportation, electricity, defense manufacturing, and telecommunications.  To lessen possible cyberthreats, Indian stock exchanges blocked access to their websites from international IP addresses [12, 13].

Infrastructure improvement initiatives have been evaluated by the Department of Telecommunications (DoT) [14].  At the same time, advisories about dangers to banks and financial institutions have been released by the Indian Computer Emergency Response Team (CERT-In).  On May 10, an advisory detailing the necessary steps to secure vendors for micro, small, and medium-sized businesses (MSME) was released. A second advise for major industries followed.  The agency reported a dramatic increase in ransomware assaults, DDoS occurrences, malware infections, and online defacements in the latter advisory [15].

Throughout the conflict, a numerous cyber groups from Pakistan have targeted Indian organizations.  Over 1.5 million cyberattacks on Indian infrastructure were carried out by a number of groups after the events of early May 7, including APT 36, Sylhet Gang-SG & Dienet, KAL EGY 319, Pakistan Cyber Force, Team Insane PK, Electronic Army Special Forces & Affiliates, Cyber Group HOAX 1337, National Cyber Crew, Team Azrael-Angel of Death, Vulture, and the Electronic Army Special Forces [16, 17].

According to CloudSEK, an indian based cyber risk and threat intelligence firm, the majority of these breaches were fabricated or overstated.  After the Pahalgam terror attack, APT36 targeted Indian defense networks using Crimson RAT malware technique, posing a greater threat than DDoS attacks, which only briefly disrupted network activity [18].

Pakistani cyber groups have reduced the number of their cyberattacks since the cease-fire on May 10, 2025.

The fallacies surrounding India’s military and information technology advancements have been debunked by Pakistan’s resolute military response and cyber security expertise, which has demonstrated its cyber dominance in this conflict.  Longstanding claims of Indian dominance in the global tech sector are being undermined by a recent cyber loss.  A major turning point in this new aspect of warfare was reached when Pakistan not only demonstrated its enormous strength to the globe but also fundamentally altered how the world saw the region’s cyber capabilities.

May 10, 2025, will surely be remembered as more than just a military show; it will be remembered as a day when Pakistan’s resilience, scientific excellence, and unshakeable determination came united to defend its sovereignty.

Pakistan Zindabad.
Prof. Dr. Rehan Shams
Department of Telecommunication Engineering
Sir Syed University of Engineering & Technology

References:

[1] Colin S. Gray, Airpower for Strategic Effect (Alabama: Air University Press, 2012), p. 14

[2] “Cyberthreat Live Map,” Kaspersky, https://cybermap.kaspersky.com/. Accessed on May 14, 2025.

[3] “Live Cyber Threat Map | Radware,” Radware, https://livethreatmap.radware.com/ . Accessed on May 14, 2025.

[4] “CERT-In Advisory CIAD-2025-0019,” CERT-In, https://www.cert-in.org.in/. Accessed on May 14, 2025.

[5] Swati Bharadwaj. “Operation Sindoor: Govt. digital infrastructure faced 75% of cyber-attacks”, 14 May 2025,  https://timesofindia.indiatimes.com/city/hyderabad/operation-sindoor-as-pak-drones-took-to-skies-hackers-attacked-india-via cloud/articleshow/121146853.cms; Accessed on 16 May 2025

[6] “Over 10 lakh Cyber Attacks on Indian Systems after Pahalgam Terror Attack: Maharashtra Cyber,” The New Indian Express, May 02, 2025, https://www.newindianexpress.com/nation/2025/May/02/over-10-lakh-cyber-attacks-on-indian-systems-after-pahalgam-terror-attack-maharashtra-cyber; Accessed on May 14, 2025.

[7] Abdul Nazeer MA, “500 Indian govt, pvt Entities Targeted by Hacktivist Groups,” The New Indian Express, May 08, 2025, https://www.newindianexpress.com/states/kerala/2025/May/11/500-indian-govt-pvt-entities-targeted-by-hacktivist-groups. Accessed on May 14, 2025.

[8] “Two Battlegrounds: India-Pakistan Conflicts and DDoS Attacks,” – NSFOCUS, Inc., May 08, 2025, https://nsfocusglobal.com/two-battlegrounds-india-pakistan-conflicts-and-ddos-attacks/; Accessed on May 20, 2025

[9] Swastika Das Sharma. “Pakistani cyber attackers claim they hacked Indian defence websites, think tank denies report”, mint, 5th May 2025, https://www.livemint.com/news/india/pahalgam-was-just-the-beginning-pakistani-cyber-attackers-claim-they-hacked-indian-defence-websites-again-11746445260717.html; Accessed on 12th May 2025

[10] “India-Pakistan Conflicts Escalating: Military Operations and DDoS Attacks Making Targeted Strikes,”  NSFOCUS, Inc., ,” May 13, 2025, https://nsfocusglobal.com/india-pakistan-conflicts-escalating-military-operations-and-ddos-attacks-making-targeted-strikes; Accessed on May 20, 2025.

[11] Mukesh Ranjan. “15L cyber attacks on key locations by Pakistan hackers”, The New Indian Express, 14th May 2025, https://www.newindianexpress.com/nation/2025/May/14/15l-cyber-attacks-on-key-locations-by-pakistan-hackers. Accessed on 20th May 2025

[12] “As Pakistani Hacker Group APT36 Targets Indian Systems, Chandigarh Police Issue Advisory”, The Indian Express, 10 May 2025.

[13] Shivendra Kumar, “BSE, NSE Restrict Access to Websites for Overseas users: Reports,” The Economic Times, May 07, 2025, https://economictimes.indiatimes.com/markets/stocks/news/bse-nse-restrict-access-to-websites-for-overseas-users-reports/articleshow/120955528.cms?from=mdr; Accessed on May 16, 2025.

[14] “Govt Ramps Up Cyber Vigilance on Critical Infrastructure after Operation Sindoor”, Money Control, 7 May 2025.

[15] “Essential Measures for MSMEs for Safeguarding Business Operations against Cyber Security Threats”, CERT-IN, 10 May 2025.

 [16] PTI. “Pakistan-allied hackers launched 15 lakh cyber attacks on Indian websites; only 150 successful”, Deccan Herald, 12 May 2025, https://www.deccanherald.com/india/maharashtra/pakistan-allied-hackers-launched-15-lakh-cyber-attacks-on-indian-websites-only-150-successful-3537123. Accessed on 20 May 2025.

[17] radware 2025, THREAT ALERTS  Escalating Hacktivist Attacks Amidst India-Pakistan Tensions, https://www.radware.com/security/threat-advisories-and-attack-reports/escalating-hacktivist-attacks-amidst-india-pakistan-tensions/. Accessed on 15 May 2025

[18] Pagilla Manohar Reddy. “Brief Disruptions, Bold Claims: The Tactical Reality Behind the India-Pakistan Hacktivist Surge”, 11 May 2025, https://www.cloudsek.com/blog/brief-disruptions-bold-claims-the-tactical-reality-behind-the-india-pakistan-hacktivist-surge. Accessed on 15 may 2025

[19] Ankur Sharma. “‘Dance Of Hillary’ To ‘Calls From Military’: Pak Targets Indian Journalists, Security Personnel”, News18, 12 May 2025, https://www.news18.com/india/dance-of-hillary-to-calls-from-military-pak-targets-indian-journalists-security-personnel-ws-kl-9333766.html; Accessed on 16 May 2025