A Hostile Grid and Undefended Borders: Impact of Pakistan's State-Sponsored Cyber Campaign on India's Sovereignty and its Implications on International Legal Frameworks

India is the most populous country in the world, the second-largest economy in Asia after China, and the nation that guided a spacecraft to the lunar South Pole on a budget smaller than a Hollywood blockbuster. It built a payment infrastructure so seamless that a fruit vendor in Varanasi and a startup founder in Bengaluru share the same digital wallet. It is, by almost every measure, a country that has learned to live at the speed of data.

Illustration by The Geostrata

And it is precisely that dependence on the grid, on the network and on the invisible architecture of connected systems that Pakistan-linked hackers have spent over a decade quietly turning into a vulnerability. In April 2025, that quiet campaign stopped being quiet.

Following the Pahalgam terror attack of April 22, 2025, and India’s military response through Operation Sindoor on May 7, the conflict simultaneously crept into the field of cyberspace. What followed was not an improvised reaction. It was the activation of a pre-built network, one that had been under development for over a decade, and whose primary engineer is a Pakistani Advanced Persistent Threat group known as APT36, also called Transparent Tribe.

Who is APT36? What does its decade-long campaign against India actually look like in operational terms? How does Pakistan’s cyber playbook compare to China’s documented electoral interference? And what can India learn from the countries that pushed back?

ORIGINS AND EVOLUTION OF APT36: FROM DEFACEMENT TO ESPIONAGE

Between 2010 and 2014, Pakistan-based hackers engaged in the defacement of websites, online propaganda, and basic phishing attacks, which were aimed at embarrassing Indian institutions. The change came between 2015 and 2019, when groups like APT36 matured. Now they started to move towards credential theft, malware infiltration, and prolonged surveillance of India’s defence and diplomatic networks. And by 2023, this had reached a new phase entirely.

The group’s preferred weapon is the spear-phishing email, crafted with meticulous attention to Indian government aesthetics, where they refer to real events, projects and government portals.

These fake domains impersonated Jammu & Kashmir Police and the Indian Air Force, and were created within days of the attack. These domains were deploying a remote access trojan called Crimson RAT. In July 2025, APT36 registered a domain impersonating DRDO’s official portal to deliver a fake DRDO Ministry of Defence letter, harvesting login credentials from defence researchers who believed they were accessing a legitimate government system.

What makes APT36 different is not just its technical ability but its patience, which it uses strategically. CYFIRMA’s research confirmed that the group’s primary objective is not immediate disruption but long-term infiltration in the heart of crucial Indian infrastructure.

WHEN THE FLOODGATES OPENED: THE 2025 CAMPAIGN AND ITS ACTUAL SCALE

The Maharashtra Cyber report titled ‘Road of Sindoor’ is one of the most detailed official accounts of what happened in the cyber field after Operation Sindoor. This report identified seven APT groups: APT36 (Pakistan), Pakistan Cyber Force, Team Insane PK, Mysterious Bangladesh, Indo Hacks Sec, Cyber Group HOAX 1337, and National Cyber Crew. These groups collectively launched approximately 1.5 million targeted cyberattacks on Indian infrastructure. 150 of these attacks successfully breached the Indian digital infrastructure.

The attacks began on April 17, 2025, which was five days before the Pahalgam attack, and peaked between May 7 and 10, coinciding precisely with the military operation.

The targets were not arbitrary. APT36 and SideCopy specifically targeted India’s defence networks, government IT infrastructure, healthcare systems, telecommunications, and education institutions.

APT36 moved into territory it had never previously attempted: BOSS Linux, the Bharat Operating System Solutions developed by India as an indigenised, Windows-independent platform for government and military use. The attack on BOSS Linux is significant not as a technical one alone, but as a signal that APT36 is now actively working to compromise the very systems India built to protect itself from foreign software dependencies.

These were false narratives which were claiming attacks on India’s banking system, satellite jamming, and an alleged assault on a BrahMos missile storage facility. None of these was true. All of them were designed to create a fog of war, intended to erode the confidence of the public in India’s security apparatus at the moment when it was most visible. This is the architecture of modern hybrid warfare: technical intrusion combined with narrative disruption, timed to geopolitical flashpoints, designed not merely to damage but to destabilise.

THE DRAGON’S PLAYBOOK: THE PARALLEL THAT INDIA CANNOT IGNORE

Pakistan’s cyber campaign against India’s infrastructure is immediate. China’s interference in the democratic processes of other nations is much slower and, in some respects, more dangerous. This is because its effects are harder to attribute and even harder to reverse.

In 2024, the UK government formally attributed a major cyber-attack on its Electoral Commission to a Chinese state-affiliated group, APT31.

The attack accessed the electoral registers of approximately 40 million UK voters. The UK’s National Cyber Security Centre assessed it was “almost certain” that APT31 had also conducted reconnaissance activity against UK parliamentarians, which targeted specifically those who had publicly criticised China.

In the same year, China-linked actors targeted devices belonging to members of the Trump family and Biden administration aides, according to the US Intelligence Community. In Taiwan, China disseminated over 2.16 million instances of false or biased information in January 2025 alone, which is a 60% increase over the previous year.

The US deployed a whole-of-government counter-interference strategy before the 2024 elections, where joint statements between the FBI and CISA exposed Russian disinformation in real time. Criminal indictments were filed against Iranian cyber operatives, and a reward system was introduced for information leading to the capture of foreign interference actors. Sweden established the Psychological Defence Agency. France built Viginum. This proves that these are reactive institutions. They are permanent counter-interference architectures.

What India can learn from the US, UK, Sweden, and France is not merely technical. It is institutional.

Counter-interference requires permanent architecture and various dedicated electoral security units, public attribution mechanisms, treaty-level bilateral cyber agreements with allied democracies, and a legal framework that can prosecute foreign cyber actors in Indian courts under conditions of verified attribution. The UN Convention against Cybercrime, adopted by the General Assembly in December 2024, provides the treaty foundation for exactly this kind of multilateral enforcement. India has not yet ratified it.

INDIA’S RESPONSE AND THE ARCHITECTURE OF WHAT COMES NEXT

 In 2025, CERT-In controlled over 2.9 million issues related to cybersecurity and issued approximately 1,530 alerts, 390 vulnerability notes, and 65 advisories. In July 2025, it released comprehensive cybersecurity audit guidelines that mandated annual audits across all critical infrastructure sectors, which were supported by 231 empanelled audit organisations. The government activated a Trusted Telecom Portal banning telecom operators from sourcing equipment from non-trusted nations, which was a direct response to Chinese hardware supply chain risks.

But the India Cyber Threat Report 2025 by the Data Security Council of India places these measures in an uncomfortable context: the country experienced 369 million malware detections across 8.44 million endpoints in the past year, averaging 702 potential attacks per minute.

India’s Carnegie Endowment mapping of its cybersecurity administration identifies a persistent structural problem: India’s cyber governance is fragmented across too many agencies, such as NCIIPC, NTRO, MeitY, MHA, MEA’s Cyber Diplomacy Division, DRDO, with coordination mechanisms that are improving but not yet equal to the speed and coordination of the adversaries they face.

The gap between India’s defensive posture and its offensive attribution capability is the most consequential vulnerability. Unlike the US, which publicly indicted Iranian cyber operatives and sanctioned Russian interference actors, India has not formally attributed a single cyberattack to APT36 in a legally actionable diplomatic forum. The UN GGE’s 2021 framework on responsible state behaviour in cyberspace, to which India is a party, includes a voluntary norm against attacks on critical infrastructure. Pakistan’s actions in April and May 2025 violated this norm with documented specificity.

The threat to the grid is not new. It has been there since 2010, learning the architecture of India’s most sensitive digital systems with patience that no single cyber incident report fully captures. What changed in 2025 is that it stopped being patient. State-sponsored cyber attacks on India are a testimony to the fact that cyber warfare is not only a security concern but also an increasingly prominent feature of geopolitics in the present day.

Pakistan's increasing reliance on proxy cyber forces and its use of these capabilities to target foreign governments illustrate the difficult balance nations are beginning to face. The lesson for India: there can be no more purely technical view on cybersecurity; it is a need.

BY RAGHAV GUPTA

TEAM GEOSTRATA

info@thegeostrata.com