Mint Explainer: The truth behind Pakistan-linked cyberattacks on India

Mint

12-05-2025

India's Operation Sindoor that targeted Pakistani terror camps triggered a wave of disinformation campaigns and claims of cyberattacks on India by Pakistani hackers. But the claims may not hold much water, say security firms.
Consider this. On Friday, a day before a ceasefire between India and Pakistan was announced, the Indian Press Information Bureau debunked a viral post that claimed ATMs across India would shut down due to a ransomware attack. The bureau simultaneously dismissed another claim that a video titled 'Dance of the Hillary' was a virus that would wipe all data on mobile phones.
Pakistan-linked hackers claim they have launched more than 100 cyberattacks on Indian government, education, and infrastructure websites so far in May. However, a detailed analysis by security firm CloudSEK reveals many of these claims to be 'exaggerated or entirely fabricated".
Data breaches have been reported in key government platforms, including that of the ministries of defence and external affairs, and the Election Commission of India. Digital public services such as UMANG, Digital Police, and the National Informatics Centre, too, were allegedly compromised, along with the Indian President and Prime Minister's top administrative websites.
Judicial systems also allegedly faced disruptions, as did the education sector with cyberattacks on the digital platforms of universities, medical institutions, and testing agencies. The digital infrastructure of the Indian Railways, India Post, RailTel Corporation of India, and major banks like Punjab National Bank and Indian Overseas Bank, were also targeted.
However, according to CloudSEK, the data breaches often involved outdated or publicly available information, while distributed denial-of-service (DDoS) attacks and defacement attempts 'caused negligible disruption—some lasting barely five minutes". (In a DDoS attack, cybercriminals flood a server with internet traffic to prevent users from accessing connected online services and sites.)
Mint explains the authenticity of the claims and the real cyber threats India faces.
Also read | Operation Sindoor: India on high alert for cyber attacks
Did Pakistan-linked cyberattacks on India cause any major damage?
Pakistan-linked hacker groups such as Nation Of Saviors, KAL EGY 319, and SYLHET GANG-SG have claimed high-profile hits on India, including cyberattacks on the digital platforms of the Election Commission and the Prime Minister's Office.
But CloudSEK's investigations show minimal impact: the Election Commission data breach was a repackaged 2023 leak, and the National Informatics Centre breach was limited to marketing files. Even coordinated DDoS attacks on government platforms resulted in barely noticeable outages.
Consider these examples.
On 8 May, Team Azrael–Angel Of Death claimed it breached the Election Commission's digital platform, allegedly exposing over a million citizen records. However, verification revealed that the data—though containing real personally identifiable information such as names, ages, phone numbers, and addresses—was originally leaked in 2023.
This reflects a common hacker tactic: repackaging old data to simulate a fresh, high-impact breach, according to CloudSEK. Team Azrael's claim appears aimed more at generating alarm and publicity than signaling a new compromise of India's democratic institutions, CloudSEK added.
On 8-9 May, KAL EGY 319 claimed a widespread defacement campaign targeting about 40 Indian educational and medical websites, followed by a shift to new targets. However, investigation showed all named websites were operational, indicating that the attacks were either not carried out as claimed or had little real impact.
Similarly, SYLHET GANG-SG and DieNet claimed to have exfiltrated more than 247 GB of data from India's National Informatics Centre. However, analysis of a 1.5 GB sample shared as 'proof" revealed only publicly available marketing content and media files, indicating the claim to be largely unsubstantiated and lacking evidence of compromised sensitive data.
Also read | Cyberattacks fresh in mind, India raises grid security after Pahalgam
So are there no major cyberthreats to India?
While the noise from Pakistan-linked hacker groups has been mostly superficial, advanced persistent threats (APTs)—sophisticated, sustained cyberattacks by hackers that have managed to establish an undetected presence in a network—underscore the real risks, according to security firms.
APT36, also known as Transparent Tribe or Mythic Leopard, is a Pakistan-linked cyber espionage group active since at least 2013. It primarily targets Indian military, government, and defence-related sectors, often using spear-phishing emails laced with malware disguised as official documents—such as fake Indian Army recruitment forms or covid-19 advisories.
The group's main tool is the Crimson RAT (Remote Access Trojan), which enables surveillance through file theft, screen capture, and keystroke logging. APT36, according to CloudSEK, used the Crimson RAT malware to infiltrate Indian defense systems following the Pahalgam terror attack last month. The malware had been delivered via phishing emails disguised as official government documents.
Once installed, Crimson RAT allowed attackers to capture screenshots, exfiltrate sensitive data, and maintain long-term access, according to CloudSEK.
Security firm Check Point Research, too, has been tracking the persistent use of ElizaRAT, a custom implant deployed by APT36 in targeted attacks on high-profile entities in India.
To deploy the Crimson RAT malware, APT36 used spoofed domains resembling Indian government websites and a payload masked as an image file to evade detection, targeting government and defense networks with precision.
APT36 has also deployed Android malware, including CapraRAT, via fake dating and chat apps to infiltrate mobile devices of military personnel and activists. Considered highly dangerous due to its persistent and stealthy operations, APT36 adapts quickly, refining its tactics and reusing infrastructure to avoid detection.
CloudSEK's report also flagged that Pakistan-linked accounts like P@kistanCyberForce and CyberLegendX (@cyber4982) were spreading unverified cyberattack claims, often tied to events like Operation Sindoor. Targets included Bharti Airtel and the Manohar Parrikar Institute, though evidence of real damage is lacking.
Top 5 Pakistan-linked hacker groups
Nation of Saviors: 32 claimed attacks
Claimed disruptions across digital platforms of Indian central and state government departments, financial institutions, and educational bodies. High-profile targets included India's Central Bureau of Investigation, Election Commission of India, and National Portal of India.
KAL EGY 319: 31 claimed attacks
Focused on defacing the websites of Indian colleges, universities, and healthcare institutions. Claimed about 40 websites compromised in a widespread campaign.
SYLHET GANG-SG: 19 claimed attacksTargeted Indian government websites, media outlets, and educational institutions. Notable claims included a data breach of the Andhra Pradesh High Court and theNational Informatics Centre.
Lực Lượng Đặc Biệt Quân Đội Điện Tử & affiliates: 18 claimed attacks
Concentrated on Indian courts and government services. Judicial and law enforcement websites, including district and high courts, were key targets.
Vulture: 16 claimed attacksFocused on Indian government and educational sites. Claimed hits on the websites of the Digital Police, President of India, and the Prime Minister's Office. Often involved in joint hacking operations.
Does this mean all is hunky-dory?
As geopolitical tensions rise, India finds itself on the brink of an evolving cyberwar with Pakistan. Recent attacks, including the breach of Pakistan's Habib Bank by the Indian Cyber Force and retaliatory phishing campaigns by Pakistan-linked APT36, as cited above, signal a new threat to India's critical digital infrastructure.
India's financial systems are on high alert. BSE and NSE recently restricted overseas access to their websites in a rare preemptive move, hinting at credible cyber threats. These measures reflect broader vulnerabilities in India's digital ecosystem—ranging from legacy systems to inconsistent cyber hygiene across institutions.
Yet, India lacks a publicly defined doctrine for cyber retaliation, unlike the US and China. India relies heavily on regulatory defenses via the Indian Computer Emergency Response Team (CERT-In), the Reserve Bank of India's frameworks, and mandates from the Securities and Exchange Board of India, though smaller financial institutions remain exposed.
With rising hacker activity, espionage, and digital subversion, India's cyber defense remains reactive and fragmented. Experts argue that a transparent, coordinated national cyber strategy—defensive and offensive—is now a strategic necessity. Is India ready for the next digital war? The answer may depend on how quickly it can bridge the policy-practice gap.