A recent report by cybersecurity firm CloudSEK found that the claims of Pakistan-linked hacktivist groups leading a sophisticated campaign of cyberattacks against India were mostly misleading and exaggerated.
The report, titled 'Brief Disruptions, Bold Claims: The Tactical Reality Behind the India-Pakistan Hacktivist Surge', reveals that while headlines were dominated by dramatic accounts of cyber warfare, much of the activity lacked real impact.
As per the report, multiple hacktivist collectives—including Nation of Saviours, KAL EGY 319, and Vulture—claimed responsibility for over 100 attacks on Indian government websites, educational institutions, and critical infrastructure in May, posting announcements of website defacements and data leaks, as tensions escalated between India and Pakistan.
However, CloudSEK’s investigation showed that most of these so-called breaches caused minimal or no disruption. Many targeted websites experienced only brief downtimes, lasting a few minutes at most. In some high-profile cases—such as claimed attacks on the Prime Minister’s Office, the Election Commission of India, and the National Informatics Centre—there was little evidence of any meaningful compromise.
The report also found that many data leaks shared by these groups consisted of outdated, publicly available, or entirely fake information. Despite this, the claims gained significant traction online and in the media.
What The Report Debunked
CloudSEK’s investigation revealed that many of the loud claims made by hacktivist groups during the India-Pakistan standoff were either misleading or completely false. Here's what the report found:
NIC Breach Not What It Seemed
Groups like SYLHET GANG-SG and DieNet said they had stolen 247GB of sensitive data from the National Informatics Centre (NIC). But when the cybersecurity firm looked into a 1.5GB sample of the so-called leaked data, found only publicly available marketing materials. This showed the breach had been exaggerated to seem more serious than it really was.
Old Election Data Resurfaced as New
Another group, Team Azrael-Angel Of Death, claimed they had leaked personal data of 1 million Indian citizens from the Election Commission. However, analysis revealed that this was not a fresh leak—it was old data from a 2023 breach, simply repackaged to appear new.
DDoS Attacks Caused Barely Any Disruption
Hacktivist groups launched Distributed Denial-of-Service (DDoS) attacks—flooding websites with traffic to temporarily knock them offline—against key government sites including the Prime Minister’s Office and other ministries. But these attacks caused only brief slowdowns, often lasting under five minutes, despite claims of major disruptions.
Website Defacements Had No Lasting Effect
The group KAL EGY 319 said they had defaced 40 Indian websites linked to schools and hospitals. But all the websites were quickly restored and functioned normally afterwards, showing that the impact was minimal.
Fake Indian Army Data Leak
Some groups claimed to have leaked sensitive information about Indian Army personnel. But on analysing the leaked data, CloudSEK found serious inconsistencies in the dataset, suggesting it was either fake or manipulated.
The report highlights a certain pattern followed by the hacktivist groups to exaggerate their activities—using low-effort methods like minor website outages or recycled data to gain attention, and relying on dramatic headlines to amplify their impact, even when the real damage is negligible.
CloudSEK recommends that organisations follow basic cybersecurity practices—especially for DDoS protection—to defend against these types of superficial but noisy attacks.
APT36: A Hidden but Real Threat
According to CloudSEK’s report, a more persistent threat comes from APT36, a Pakistan-linked cyber espionage group also known as Transparent Tribe. The report states that APT36 has been targeting Indian government and defence networks, especially during sensitive moments like the aftermath of the Pahalgam terror attack.
As per the findings, the group uses a malware called Crimson RAT (Remote Access Trojan), which is designed to secretly take control of a computer. APT36 spreads this malware through phishing emails that appear to be official communications, armed infected PowerPoint or PDF files, which, once opened, install the malware on the victim’s system.
The report says Crimson RAT allows the attackers to take screenshots, access files, execute commands remotely, and maintain long-term access to the system. These tools are used to steal sensitive information, such as login details and confidential documents.
Despite its capabilities, CloudSEK notes that APT36’s tactics have not changed significantly in six years. Therefore, the report suggests that organisations with strong cybersecurity systems are generally well-prepared to detect and block such attacks.
Cyberwarfare: The New Frontier in Regional Conflicts
The India-Pakistan conflict has now joined a growing list of regional disputes where cyberattacks play a major role alongside traditional warfare. This marks a shift in how modern conflicts are fought, with cyberspace emerging as a powerful new arena—often referred to as the "fifth war-fighting domain" after land, sea, air and space.
In recent years, cyberattacks have increasingly supported or escalated physical conflicts. For instance, in the lead-up to Russia’s invasion of Ukraine in February 2022, Russian hackers launched digital attacks to weaken Ukrainian infrastructure and sow confusion. Ukrainian hackers also retaliated in the weeks that followed.
Similarly, the Israel-Palestine conflict has seen sophisticated cyber activities. Notably, Israel reportedly used explosive devices disguised as pagers to target Hezbollah, a political and militant group based in Lebanon, illustrating the integration of cyber tactics in physical confrontations.
China, too, has used cyberwarfare to assert its geopolitical interests. It has stepped up hacking campaigns and online misinformation efforts against Southeast Asian nations over territorial disputes in the South China Sea.
According to cybersecurity firm Radware, cyberattacks between India and Pakistan were previously limited to issues such as religious tensions, political disputes, and regional rivalries. But May 2025 marked a significant shift, with cyber activity beginning to mirror the more organised, state-backed operations observed in other international conflicts.
