Cyberattacks surge amid India-Pakistan clashes after strikes

Techday NZ

14-05-2025

Cyberattacks by hacktivist groups have escalated following renewed tensions between India and Pakistan.
On May 7, 2025, India conducted "Operation Sindoor," a series of 24 missile strikes over 25 minutes against nine sites described as "terrorist infrastructure" in Pakistan and the Pakistan-administered region of Kashmir. According to Indian authorities, this operation was a response to the mass killing of 26 Indian tourists in Kashmir on 22 April. While India claims the strikes killed more than 70 militants and avoided civilian areas, Pakistan alleges at least 26 civilian casualties, has vowed to respond, and reports shooting down five Indian jets. Subsequent artillery exchanges have been reported along the Line of Control, closures of airspace have occurred, and international actors have called for restraint.
In anticipation of cyber reprisal, India moved to temporarily block overseas users from accessing the websites of the National Stock Exchange and BSE. Officials cited cyberthreat concerns as the reason for the move, affirming that trading operations remain unaffected, though access is being controlled while risks are evaluated. Indian media outlets have documented a rise in hacking claims linked to Pakistan, and Pakistan's cyber response agency, PKCERT, has warned that hostile actors are exploiting the escalation to spread disinformation and attack critical systems.
Reports compiled by Radware indicate that India has remained a frequent target of hacktivist campaigns throughout 2025, with 26 different groups targeting 100 organisations and accounting for 256 Distributed Denial of Service (DDoS) attacks since January. Most attacks were concentrated in January, but the initial week of May has seen activity accelerate as geopolitical tensions have heightened.
According to Radware, RipperSec has been responsible for over 30% of DDoS claims against Indian targets this year, followed by AnonSec (16.8%), Keymous+ (10.2%), Sylhet Gang (9%), and Mr Hamza (4.7%). Groups such as Anonymous VNLBN, Bangladesh Civilian Force, SPIDER-X, RuskiNet, Arabian Ghosts, AnonPioneers, Rabbit Cyber Team, Red Wolf Cyber, Nation of Saviors, and several others have also made claims of responsibility. Hacktivists on both sides are employing various methods, from DDoS attacks and botnets to website defacements and data leaks, with the objective of disrupting service and undermining public confidence.
More than half of the claimed DDoS attacks have targeted governmental agencies, with other significant targets including entities in education (8.3%), finance (7.4%), manufacturing (6.5%), and telecommunications (6.5%).
Since the events of May 7, DDoS attack activity aimed at India has intensified. Radware's analysis notes a spike at 4pm UTC (9:30pm IST) with up to seven claimed attacks per hour. Threat actors involved in these attacks include AnonSec, Keymous+, Mr Hamza, Anonymous VNLBN, Arabian Hosts, Islamic Hacker Army, Sylhet Gang, Red Wolf Cyber, and the Iranian group Vulture.
In these attacks post-Operation Sindoor, more than 75% of the incidents were directed at government agencies, while the financial and telecom sectors accounted for 8.5% and 6.4% respectively, comprising the bulk of the activity observed.
"Politically, socially and religiously motivated hacktivist groups are increasingly coordinating efforts, amplifying their attacks against shared adversaries," Radware said in its latest alert. "Hacktivists are using hybrid strategies, leveraging application-layer and volumetric DDoS attacks that complicate defences."
The Radware alert continued: "Hacktivists on both sides are targeting critical infrastructure using Web DDoS attacks, botnets, data leaks, and defacements, aiming to disrupt services and erode public trust."
Recent developments show several groups, including Sylhet Gang, Mysterious Team, and Red Wolf Cyber, declaring support for Pakistan and threatening expanded attacks on Indian systems. Radware observed that since 2024, there has been a growing pattern of collaboration among groups with different ideological motivations. "As noted in the Radware 2025 Global Threat Analysis Report, 2024 was a significant turning point for hacktivist alliances, as groups driven by different political, social and religious motivations united in coordinated campaigns to target shared perceived adversaries. In 2025, this trend has gained momentum, with more hacktivists offering mutual support for each other's actions and campaigns, amplifying their messages and boosting their visibility."
The alert further stated: "In the wake of Operation Sindoor, new alliances are emerging among Southeast Asian hacktivists. Some of these alliances even extend to groups traditionally opposed to Israel, such as the Iranian hacktivist group Vulture."
The situation, as described by Radware, remains volatile. "As of now, less than 24 hours have passed since the escalation between India and Pakistan, and the situation remains highly volatile. Several prominent politically motivated groups, such as RipperSec and Mysterious Team Pakistan, have publicly pledged to take action but have not yet claimed responsibility for any attacks. Their impending involvement could significantly raise the stakes."
Hacktivist groups based in India are also expected to intensify activity, raising concerns about reciprocal cyberattacks on Pakistani infrastructure. "Simultaneously, hacktivist groups supporting India, such as Indian Cyber Force, Cryptojackers of India, Dex4o4 and Ghost Force are expected to intensify their efforts to target Pakistani organisations. This could create a dangerous cycle of retaliation, increasing the risk of further cyberattacks, potentially targeting critical infrastructure on both sides."
The tactics used by hacktivists are varied. "Hacktivists frequently deploy application-layer DDoS attacks to target specific server resources, often without generating overwhelming traffic volumes. These attacks are harder to detect and mitigate, as they imitate legitimate user interactions. Common techniques include HTTPS encrypted floods and form POSTs, which overwhelm online services and their backend systems. This can result in significant service disruptions or even complete outages, especially for critical websites like government portals, financial institutions or news outlets."
"Volumetric attacks, while generally less sophisticated, are still a common strategy employed by hacktivist groups to overwhelm network infrastructure. These attacks often involve tactics such as direct path UDP floods or reflection and amplification attacks, where the target is flooded with a massive volume of UDP packets. This consumes significant bandwidth and network resources, which can potentially bring down online services or impact connectivity."
"Given the increasing sophistication of and orchestration between hacktivist groups, hybrid DDoS attacks that combine multiple techniques can be observed. These attacks could simultaneously target network infrastructure with volumetric methods while also executing application-layer attacks. These strategies complicate detection and mitigation efforts."
Radware highlighted the accessibility of DDoS tools as a contributing factor, noting: "Many groups may use publicly available DDoS tools to conduct their attacks. RipperSec members, for example, maintain and share a tool called MegaMedusa. Built using Node.js, MegaMedusa leverages its asynchronous and non-blocking I/O capabilities to manage multiple network connections efficiently, making it suitable for orchestrating extensive DDoS campaigns. The tool is publicly accessible via GitHub, allowing users to install and operate it with minimal technical expertise. Its user-friendly installation process involves executing a few commands, making it accessible even to individuals with limited technical backgrounds. The availability of these tools makes it easier for groups with varying levels of technical expertise to launch impactful attacks."
"Hacktivist groups may also utilise botnets – networks of compromised devices, often IoT devices – to launch large-scale DDoS attacks. These botnets can be rented or created through the use of malware, enabling attackers to distribute traffic across a wide range of devices. Some hacktivist groups have evolved from politically and religiously motivated attackers to DDoS-as-a-service providers, offering these services either for a fee or in exchange for advertising on their Telegram channels."
"Some hacktivists may also engage in website defacements and claim responsibility for data leaks as part of their strategy to create chaos and erode public trust in institutions. These actions are often intended to undermine the credibility of targeted organisations and spread ideological messages."