Digital war: Pak’s Cyber Activity Against India

Malicious actors were active as soon as reports of the Pahalgam attack began to surface, with a noticeable increase in their activities in the following days. Threat actors created fake domains that mirrored legitimate services, which were then used to deploy malware targeting the Indian government and defence personnel. Social media platforms were flooded with misinformation in a deliberate attempt to undermine public trust.

On May 7, 2025, exercising its “right to respond”, Indian armed forces launched Operation Sindoor, under which they carried out precision strikes to destroy a network of terror camps in Pakistan and Pakistan-Occupied Kashmir (PoK).

The operation was undertaken in the wake of a terror attack in Pahalgam in which 26 tourists were murdered in cold blood. Defence Minister Rajnath Singh stated that the Indian armed forces carried out a focused, measured and non-escalatory response, intended to “break the morale” of the terrorists operating inside Pakistan.

Pakistani-affiliated hacker groups conducted a range of cyber-attacks against Indian targets, even though none of them created any significant disruption. Emulating European pattern:

These attempts were first noticed following the Pahalgam attack and even before the escalation of the conflict, when websites associated with the armed forces were subjected to web defacement and online disruptions.

Despite the fact that these intrusions were successfully thwarted by relevant agencies, the uptick in cyber-attacks reflects a pattern seen in hot zones in Europe and West Asia.

Almost all government computer and financial networks, and power plants, among others are all possible targets as terrorists may identify these as the most appropriate features to corrupt or disarm in order to wreak havoc.

Manipulation of systems via software with secret “back doors”, theft of classified files, erasing data, re-writing web pages, introducing viruses, etc., are just a few examples of how terrorism can penetrate secure systems.

Scholars have long debated the role of cyber operations in managing escalation during a militarised crisis.

Pakistan’s cyber strategy:

Pakistani aggression in the cyber realm can be categorised as Advanced Persistent Threat (APT) and hacker group activity, misinformation through social media platforms, and online activities by terror outfits.

Home grown APT groups actively targeted Indian infrastructure, conducting somewhat sophisticated and sustained operations against India’s interests. For instance, the APT actor, APT36 or Transparent Tribe, a threat group attributed to Pakistan, has been active since 2013, and has primarily targeted Indian defence, government and diplomatic entities.

APT36 is known for its reliance on Crimson RAT, a remote access Trojan used for data exfiltration and espionage. It frequently mimics Indian government websites to distribute malware.

Following the Pahalgam attack, APT36 launched a cyber-attack campaign spoofing India’s Ministry of Defence and “Pahalgam Terror Attack” themed documents to distribute malware, which could eventually be put to use to conduct information operations and espionage operations.

Another Pakistan-based APT actor, Sidecopy, has also been active, sending out phishing emails impersonating official entities and delivering malware through fake domains mimicking legitimate services. During the conflict, Indian agencies identified seven APT groups operating against India that were also responsible for over 15 lakh cyber-attacks.

Most of these attacks reportedly originated from Pakistan, Bangladesh and West Asia. However, they are not technically as advanced as Chinese APTs, which leverage zero-day exploits and conduct supply-chain attacks.

Pakistan’s use of terrorists against India has not been limited to the conventional domain. Terror outfits such as Lashkar-e-Taiba (LeT) and Jaish-e-Mohammad have leveraged cyberspace extensively for recruitment, propaganda, communication, funding, planning and executing attacks.

Internet and social media platforms—including Facebook, Twitter, WhatsApp, Telegram and YouTube—have been effectively used to spread extremist ideology and to recruit followers.

The ongoing cyber-attacks targeting Indian infrastructure suggest growing reliance on cyber operations before, during, and after the cessation of military hostilities.

Malicious actors were active as soon as reports of the Pahalgam attack surfaced, with a noticeable increase in their activities in the following days.

Effective Indian response:

Existing threat actors like APT36 created fake domains that mirrored legitimate services, which were used to deploy malware targeting the Indian government and defence personnel. Social media platforms were flooded with misinformation in a deliberate attempt to undermine public trust in Indian operations.

The Indian government responded swiftly, successfully thwarting many of the attacks in time. Official Indian handles on social media platforms like X proved highly effective in identifying fake news and played a key role in identifying and taking down the accounts responsible. That said, tactics such as phishing emails, infected mobile apps, spyware, and embedding hidden malware on websites to gain unauthorised access to sensitive information can only be countered through continuous vigilance and strict digital hygiene practices.

(Courtesy: https://www.idsa.in/; for a full version of article, visit the website; Views expressed are of the author and do not necessarily reflect the views of the Manohar Parrikar IDSA or of the Government of India)