DEV Community

Cover image for India-Pakistan Cyber Warfare
Sandarbh Bajpai
Sandarbh Bajpai

Posted on

India-Pakistan Cyber Warfare

Operation Sindoor Cyber Fallout:
In the aftermath of Operation Sindoor-India's military response to the April 22 Pahalgam terror attack that killed 26 civilians-a coordinated cyber warfare campaign targeted India's digital infrastructure. Maharashtra Cyber identified seven Advanced Persistent Threat (APT) groups responsible for these attacks, including Pakistan-based APT 36, Pakistan Cyber Force, Team Insane PK, Mysterious Bangladesh, Indo Hacks Sec, Cyber Group HOAX 1337, and National Cyber Crew.

The attackers employed various techniques including malware campaigns, Distributed Denial-of-Service (DDoS) attacks, and GPS spoofing, primarily targeting government organizations (75% of attacks), along with education (8.3%), finance (7.4%), manufacturing (6.5%), and telecom sectors (6.5%). While the cyber assault originated primarily from Pakistan, it also involved hackers from Bangladesh, Indonesia, Morocco, and Middle Eastern countries. Despite the ceasefire agreement between India and Pakistan, these cyber attacks have continued, though at a reduced rate, demonstrating the persistence of digital warfare even when conventional hostilities subside.

APT36 Hacking Techniques:
APT36, also known as Transparent Tribe, employs sophisticated cyber-espionage techniques primarily targeting Indian government, military, and diplomatic entities. Their attack methodology has evolved significantly, with their arsenal now including ElizaRAT, a Windows remote administration tool with advanced evasion capabilities including process injection, rootkit functionality, and anti-debugging mechanisms.

The group's infection vectors include spear-phishing emails with malicious attachments, malvertising through Google Ads to distribute trojanized versions of legitimate applications like Kavach MFA, and domain spoofing of official Indian government websites. They've expanded their toolkit to include cross-platform malware targeting both Windows and Linux systems, with payloads like ApoloStealer and Crimson RAT that can exfiltrate sensitive data, capture screenshots, and execute remote commands. APT36 maintains stealth by leveraging legitimate cloud services such as Telegram, Google Drive, and Slack for command-and-control communications, implementing time zone checks to ensure execution only on Indian systems, and creating elaborate infrastructure designed to obscure their Pakistani origins.

DDoS Attack Statistics:
The surge in cyber hostilities following Operation Sindoor saw Distributed Denial-of-Service(DDoS) attacks emerge as the dominant threat vector, accounting for 55.5% of all identified attacks against Indian targets. This represents a dramatic escalation compared to normal activity levels-while only 147 DDoS attacks targeted India between February and April 2025, a staggering 112 were recorded in just the first nine days of May. The peak occurred on May 10, when attack volumes reached levels 97 times (9700%) higher than pre-conflict baseline measurements from April 22.

The attacks displayed clear strategic patterns, with government institutions bearing the brunt (52% of incidents), followed by education (21.5%), technology/IT services (6.5%), finance (8.5%), and telecom (6.4%) sectors. The most active threat groups included RipperSec (responsible for 30% of all DDoS claims), AnonSec (16.8%), Keymous+ (10.2%), Sylhet Gang (9%), and Mr Hamza (4.7%). Attack intensity peaked at 4pm UTC on May 7, with seven claimed DDoS attacks per hour, though activity began declining after both nations agreed to a comprehensive ceasefire on May 11.

Top comments (0)