In 2025, India faced an unprecedented cyber onslaught, with millions of hostile intrusion attempts surging in direct correlation to geopolitical crises – the April Pahalgam massacre and May’s Operation Sindoor. State-linked actors from Pakistan and China orchestrated sophisticated attacks on government, defence, and critical infrastructure, exposing vulnerabilities and underscoring the urgent need for robust digital defences.

India faced millions of hostile cyber intrusion attempts in 2025, with documented spikes tightly tracking geopolitical flashpoints such as the 22 April 2025 Pahalgam massacre (26 civilians killed near Baisaran Valley in Jammu and Kashmir) and India’s subsequent Operation Sindoor precision strikes launched on the night of 6–7 May 2025. Maharashtra Cyber and MH‑CERT alone recorded over 1 million cyberattacks on Indian systems in the immediate aftermath of Pahalgam, while separate reporting places the total number of intrusion attempts in the days that followed at well above 10 million. These attacks combined DDoS floods, website defacements, malware campaigns, and phishing waves against government portals, defence and critical infrastructure, with only a small fraction successfully breaching targets. Government networks, banks, power systems, telecom, railways and key ministries all saw sustained probing and disruption attempts as hostile operators tried to exploit the chaos.​

After Operation Sindoor, attempted cyber hits on Indian government networks surged nearly sevenfold, according to National Informatics Centre Services Incorporated (NICSI) managing director Alok Tiwari. He warned that these intensified assaults exposed fresh vulnerabilities across ministries, data centres and citizen‑service platforms, underscoring the need for hardened defences against ransomware, phishing and supply‑chain compromises. The most serious risk does not come from noisy defacements or DDoS campaigns but from quiet Advanced Persistent Threats (APTs) that sit inside networks for months to siphon data, map systems and prepare for leverage or disruption.​

Pakistan‑linked groups remain among the most aggressive attackers of Indian government and defence‑adjacent targets. APT36 (Transparent Tribe / Earth Karkaddan), active for over a decade, systematically weaponises spear‑phishing that mimics official Indian communication-fake ministry advisories, promotion lists, hardship allowances or urgent circulars branded around events like the Pahalgam massacre and Operation Sindoor-to deliver remote‑access malware such as Crimson RAT and related families for credential theft and long‑term espionage. SideCopy, a closely linked Pakistan‑aligned cluster active since around 2019, mirrors and reuses techniques from other campaigns while deploying tools such as AllaKore RAT and custom loaders against Indian ministries, defence, logistics, railways, telecom, and oil and gas infrastructure. Multiple analyses of the weeks after Pahalgam and during Operation Sindoor attribute roughly 1.5 million intrusion attempts to a bloc of APTs and hacktivist crews centred on Pakistan and allied ecosystems, including APT36 and SideCopy, with these groups heavily abusing spoofed gov.in/nic.in‑style infrastructure and Pahalgam‑themed lures. ​

Chinese state‑linked operators focus less on noisy disruption and more on long‑term strategic penetration of networks that shape India’s power, economy and military options. Mustang Panda (Earth Preta), active since at least 2012, has repeatedly targeted governments across Asia with spear‑phishing that drops advanced PlugX/Korplug variants such as DOPLUGS, and Indian government and diplomatic interests sit squarely within that regional focus. APT41 (also tracked as Brass Typhoon and by other names) blends state espionage with profit, using supply‑chain compromises and zero‑day exploits against telecom, aerospace, software and other strategic industries in Asia, including sectors critical to India’s national security calculus. Additional China‑aligned clusters exposed in contractor leaks and technical reporting have been documented hitting telecommunications carriers, aviation infrastructure and government‑related environments across the region, seeking policy, infrastructure and R&D intelligence that directly feeds state decision‑making. ​

The bulk of high‑end hostile activity against Indian civilian and government networks in 2025 traces back to ecosystems in Pakistan and China, with significant supporting noise and infrastructure from operators in Bangladesh, Indonesia, parts of the Middle East and North Africa. Pakistan‑aligned groups in particular routinely route traffic and host infrastructure through third countries to obscure origin while keeping Indian ministries, defence, and critical services as primary targets. By contrast, there is little open‑source evidence in 2025 of sustained, state‑run APT campaigns from Bangladesh, Nepal,

Sri Lanka, Maldives or Myanmar that focus specifically on Indian civilian ministries; activity from these countries appears primarily as hacktivism, criminal operations, or infrastructure used by others rather than declared cyber‑policy tools. ​

Most serious compromises still begin with human error, not exotic zero‑days. Major campaigns almost always start with messages posing as from ministry headquarters, a superior, or official portals such as NIC or e‑Office. Any unexpected or high‑pressure email, SMS, or message-especially those pushing document downloads, urgent acknowledgements, financial updates or “security” instructions-must be verified by phone or through an official channel, not by replying or clicking. URLs should be scrutinised carefully (for example, fake domains that look like mod[.]gov[.]in but are subtly altered), and suspicious attachments, especially disguised executables and macros, should be treated as hostile by default and escalated to cyber cells.​

Strong authentication is non‑negotiable. Every official account should use a strong, unique password of at least 12 characters and must never be reused on personal services such as Gmail, social media or shopping sites. Multi‑factor authentication should be enabled everywhere possible, with hardware tokens or authenticator apps preferred over SMS where available. Devices used for government work should be isolated from personal use: no plugging unknown USB drives into official systems, no mixing of personal laptops or phones with sensitive networks, and strict adherence to patching cycles so that operating systems, browsers and applications are updated promptly. Only approved endpoint protection, as mandated by NIC/MeitY policies, should be installed on official machines, with regular scans and monitoring.​

Social media and casual sharing are rich intelligence sources for hostile operators. Adversaries mine public and semi‑public profiles for ministry names, designations, postings, family details and travel patterns, then weaponise those details in ultra‑targeted phishing or impersonation campaigns. Officials and contractors should treat everything posted online as public, tighten privacy settings, avoid posting location details or work‑related gossip, and never discuss official matters—even unclassified—on personal WhatsApp or Telegram. Public Wi‑Fi must be avoided for official tasks; sensitive files transferred outside must be encrypted; and unsolicited job offers, “free” government apps or benefit‑linked surveys should be treated as likely lures until proven otherwise.​

India is not defenceless in this domain. Agencies such as CERT‑In, the Indian Cyber Crime Coordination Centre (I4C) under the MHA, the National Critical Information Infrastructure Protection Centre (NCIIPC), NIC and NICSI regularly issue advisories, conduct drills and run awareness programmes for ministries and critical sectors. MeitY and other authorities have pushed cyber‑hygiene guidelines for all employees, including contractual staff, while key ministries are appointing CISOs and building dedicated incident‑response capabilities. Events like the Pahalgam massacre and Operation Sindoor in 2025 have forced India to confront that cross‑border terrorism now arrives with coordinated cyber barrages; every official who handles a file or opens an email is part of the national defensive perimeter. ​

Cyber defence is now inseparable from public duty. When individuals across the system-section officers handling files, IT staff running servers, senior bureaucrats operating from phones and laptops treat basic cyber discipline as seriously as physical security, the attack surface shrinks dramatically and adversaries are forced to expend far more effort or shift targets. Eternal vigilance for India’s public servants and citizens now extends to the digital realm, where every careless click can be exploited by hostile states and their proxies.

Parth Sane is a software engineer with a penchant for Cyber and EW technology that maximises the opportunity to take advantage of new emerging technologies and effectively manage threats emanating from the adversaries. He is also interested in developing new algorithms and techniques for National Defence for an atmanirbhar Bharat.