India / Pakistan | Tit-for-tat cyber operations likely

• On current indications, neither side would be able to significantly disrupt critical infrastructure; India has denied claims earlier this month that Pakistan disrupted 70% of India’s electricity grid

The recent limited conflict between India and Pakistan appears to have spurred frequent cyberattacks by hackers in both countries. Both warned of heightened cybersecurity threats during the military escalation. And we observed a surge of activity on online hacktivist channels. Reports of such operations seem to have slowed since India and Pakistan agreed on 10 May to an immediate ceasefire. But government-backed cyberespionage campaigns between the two countries are almost certain to continue, alongside sporadic hacktivist operations against government and local firms’ websites.

Any further short-lived military escalation between India and Pakistan over the coming years is highly likely to raise cyber threats to organisations based there. But on current indications, state-backed hacking groups from either country do not appear capable of causing major disruption to critical infrastructure. Hacktivists will probably also be motivated to carry out DDoS and website defacement campaigns during any escalation and around key dates such as Independence Day in Pakistan and India on 14 and 15 August, respectively.

Unverified claims of disruption to Indian infrastructure

Pakistan state-linked hacking groups seem to have conducted repeated cyber campaigns amid the military escalation. Cybersecurity firm CloudSEK said on 11 May it had observed one group using social engineering tactics to exploit the ‘emotional aftermath’ of the terrorist attack in Pahalgam on 22 April. The firm said it deployed previously used malware against Indian government and defence networks. Pakistani press outlets reported on other similar incidents in recent weeks, but we were not able to independently verify these.

We are sceptical of Pakistani media reports of cyberattacks against critical infrastructure in India earlier this month. On 10 May, Radio Pakistan reported that Pakistan had disrupted 70% of India’s electricity grid, citing unnamed security sources. And a Pakistani media outlet said it also shut down wind turbines and disrupted transportation and utilities. Indian government sources have publicly refuted these claims. We also saw no evidence to back up these claims.

Similarly, Pakistan advised of cyber operations from groups based in India during the escalation. Pakistan’s National Cyber Emergency Response Team on 7 May said that ‘adversaries’ are ‘launch[ing] sophisticated cyberattacks …. deliberately aiming to compromise our critical networks’. But we have not seen independent reporting of Indian state groups mounting such operations.

Cyberespionage still a priority despite ceasefire

The recent escalation, as well as their entrenched rivalry, will probably incentivise India and Pakistan to bolster their offensive cyber capabilities over the coming years. India already appears to have been doing so. A US-based think-tank said in a report published in March that ‘the Indian Armed Forces have invested in both defensive and offensive cyber capabilities’. And it seems to have used this investment to target government networks; Canada, in its annual threat assessment last year, said that India ‘likely conduct[s] cyber threat activity’ against Canadian government networks.

Cyberespionage is highly likely to remain the main priority for both states, especially using spyware and malicious apps. Cybersecurity firm SentinelLabs said in 2023 that a Pakistan-linked group tricked targets in India into downloading a fake and malicious YouTube app. And last year, cybersecurity firm ESET said that an India-linked group targeted users in Pakistan with a malicious news app, which was installed over 1,400 times. Politicians and diplomats would probably be the main targets of such campaigns. But other people have also inadvertently downloaded these apps in the past, according to ESET.

We doubt that Pakistan and India would be capable of causing severe disruption to critical infrastructure. As is often the case, the full extent of their cyber capabilities is unclear. But we are not aware of any confirmed cases of state-backed cyber groups from either country successfully causing physical disruption to critical infrastructure. And most cyberespionage campaigns seem focused on intelligence gathering, rather than preparing for future disruptive operations. Both sides were seemingly motivated to exaggerate their successes during the recent military escalation.

High pace of hacktivist activity

Future bouts of heightened political or military tensions between the two countries are also highly likely to drive hacktivist campaigns. There has been a surge of hacktivist groups, mainly pro-Pakistan, claiming DDoS attacks, website defacements and data breaches in recent weeks. The pace of these claims has slowed since the ceasefire.

Still, hacktivists are highly likely to ramp up their operations around key dates, like Independence Day in Pakistan and India on 14 and 15 August, respectively. Hacktivists often carry out campaigns on days of religious or national significance or around bouts of heightened political or military tensions.

We doubt that these groups have the technical capability to cause long-lasting disruption to websites, however. Based on reporting on these groups’ activities, they often, at most, disrupt website access for under half an hour. Common targets include government and military entities as well as local finance and retail firms. And they seem to frequently exaggerate the impacts of their operations.