At the beginning of May 2025, India launched Operation Sindoor, a precision-guided missile strike on so called terrorist training camps within Pakistan-administered Kashmir. As news of the strikes emerged on May 7, a counter-wave hit India’s cyber networks. Within hours, dozens of hacktivist and state-backed attackers – not just from Pakistan but also from allied parties in Turkey, Bangladesh, Malaysia, Indonesia and beyond – launched sensitive probing and targeting Indian critical infrastructure. This cyber blitzkrieg was an involvement of website defacements, distributed-denial-of-service (DDoS) attacks, phishing campaigns and malware intrusions, targeting defense, energy, finance, telecommunication and transportation systems within the country.
Timeline of the Cyber Campaign
The cyberattacks started at the same time as the India-Pakistan crisis. Events include:
Late April 2025 – Background to conflict: Two days after the April 22 Pahalgam terrorist attack, a Pakistan-associated hacker group (APT36, otherwise known as Transparent Tribe) initiated a spear phishing campaign. With artificial “Pahalgam Terror Attack” files, they used a backdoor (the Crimson RAT malware) against Indian government and defense officials. Indian officials simultaneously reported some minor DDoS tests on infrastructure sites – “some attacks…contained” – placing agencies on high alert.
Late April – Early May – Hacktivist probes and defacements: During April 23–26, low-level hacktivist cells (typically religiously motivated) coordinated a campaign of defacements on exposed Indian sites. Large-scale Distributed Denial-of-Service attacks hit e-governance portals and other government services by late April (around April 27–May 2). Throughout this period several dozen domestic and foreign hacktivist groups documented minor outages (typically just a few minutes’ duration) on government and education websites.
May 7, 2025 – Operation Sindoor: In the pre-dawn hours of May 7 India conducted its missile strikes. There were Pakistani media reports of civilian casualties and Indian planes downed, tensions escalating. In hours, the cyber attacks gained momentum. Dozens of pro-Pakistan hacktivist groups announced coordinated operations (most under the title “#OpIndia”), naming the Sindoor strikes directly in their defacements and DDoS reports. For example, the Cyble intelligence team reported that groups like Keymous+, AnonSec and others made direct mention of the airstrikes in their posts.
May 7–10 – Peak of the attack: Cybersecurity firm Radware reported increased attacks starting around 9:30pm IST on May 7, with up to seven reported DDoS attacks an hour. Most of the attacks (over 75%) targeted government agencies, with critical industries like finance and telecom having a share up the rest. Radware also claimed that hacktivists on each side (Bangladesh, Malaysia and even Iranian group Vulture) were “coordinating efforts, upping their attacks against mutual adversaries”.
Mid-May 2025 – Advanced threats: On May 13, a fifth stage with upgraded players was on the record. Indian analysts reported that state-supported cyber groups of China, Turkey, Iran and even North Korea likely were looking for zero-day vulnerabilities and supply-chain vulnerabilities in Indian systems. In one article, players like North Korea’s Lazarus, Iran’s MuddyWater and Russia’s APT28 (Fancy Bear) were referred to as “key actors” looking to exploit deep vulnerabilities. (In fact, however, security experts say much of this was speculation, and Indian defences tended to stand up.)
Threat Actors and Their Tools
A wide mix of attackers claimed responsibility for the Sindoor cyber campaign. Security analysts distinguish between:
Pakistani APTs (state actors): Like APT36/Transparent Tribe and SideCopy, which boast past espionage against India. For example, APT36 was quick to exploit the Pahalgam attack topic throughout April to send Trojanized reports using Crimson RAT. Analysts add that they shifted emphasis after May 7 to target financial infrastructure (e.g. National Payments systems) with next-generation remote-access trojans (e.g., Crimson RAT and Capra RAT). Interpol trainer P. Krishna Shastry noted that “state-sponsored actors…such as APT36” launched phishing, malware and DDoS campaigns in the aftermath of Sindoor.
Pakistani hacktivist collectives: Dozens of nationalist or Islamist-leaning hacker groups took to the streets. They include names such as Nation Of Saviors, AnonSec, Keymous+, Mr Hamza, Sylhet Gang, Bangladesh Civilian Force, Arabian Ghosts, Islamic Hacker Army, and many others. Many of them have loose coalitions or social media aliases (e.g. an amateur “Pakistan Cyber Force”) espousing defacements and DDoS. CloudSEK’s report, for instance, ended with findings there were claims of website hacks by these groups’ propaganda narratives, though in most instances little to no effect.
Foreign allied hackers: Amusing as it seems, security briefs found that there was involvement of actors beyond Pakistan. Times of India has reported “state-supported hackers and Pakistani, Turkish, Bangladesh, Malaysia, and Indonesia, with support from China”. Radware also indicated that an Iranian hacktivist collective (the Vulture group) – traditionally operating against Middle Eastern targets – now was supporting Pakistani hackers. This speaks to a new alliance: regional hacktivists with different causes teamed up for the anti-India cyber campaign as an expression of solidarity.
Indian domestic players (retaliation threat): Experts also warned that Indian hacktivist groups (such “Indian Cyber Force” or Ghost Force) were preparing retaliatory counterattacks against Pakistan. This creates a tit-for-tat situation, where attacks by one side prompt retaliation by the other, potentially engaging civilian infrastructure in a larger conflict.
Attack Methods and Exploits
The cyber attack campaign was a mix-and-match approach, blending low-tech and state-of-the-art methods. Among the most significant methods were:
DDoS (Distributed Denial-of-Service): Blasting servers with bogus traffic was the most common disruption. Hacktivists built botnets (generally from compromised private machines) to overwhelm government and business websites, briefly taking them down. Radware documented an increase of weblayer DDoS deluges following Sindoor, some that mimicked legitimate traffic patterns to avoid defences. Such attacks lasted minutes on average, but in combination caused sporadic outages at, e.g., state offices and school portals.
Website defacement: Attackers exploited vulnerable web servers or admin panels to overwrite webpages with propaganda images and slogans (Pakistani flags, religious slogans, anti-India banners). Cyber sleuths found dozens of defaced sites (schools, local gov portals) shortly after May 7. Though flashy and humiliating, most defacements did not involve data exfiltration – they were meant to broadcast capability and instill fear.
Phishing and malware: Politically themed baits were widely used. In one well-documented example, APT36 utilized Microsoft Office files masquerading as authoritative reports of the Pahalgam attack; enabling the macros in such files dropped the Crimson RAT backdoor onto victims’ systems. Other bait documents (PDF and spoofed login pages) were also used to trick officials into installing RATs or credential stealing. Malware could exfiltrate, or install botnet nodes on entering.
Exploiting known vulnerabilities: In a few high-profile cases, attackers exploited unpatched software weaknesses. For example, one attack on a vehicle-tracking website (trackmaster.in) used a publicly available web application weakness to upload an offending file. Another was a BIG-IP (F5 load balancer) weakness, which was also used against Bharti Airtel’s network for remote code execution. These hacker attacks prove that even “big players” with some security had weaknesses that were exploited by the attackers.
Ransomware and data-theft attempts: By early May, some skilled attackers purportedly made more crippling attempts. Prior to Sindoor, attackers struck manufacturing and energy firms with ransomware and data-theft tools. During the Sindoor window, experts warned that payment systems and banks were probed for vulnerabilities. Indian authorities maintain, however, that none of these intrusions reached core systems to cripple them.
Targets and Impact
The campaign hit sectors of critical infrastructure:
Government and Defence: Central ministries (Defence, External Affairs, Home Affairs), national security think-tanks, and prestigious sites like the Prime Minister’s Office and Election Commission were repeatedly targeted. State and district government portals were attacked by several DDoS floods, with hacktivists claiming to have defaced law enforcement and court websites.
Energy and Utilities: Power grids and energy companies were at high alert. Times of India specifically refers to the electricity industry as being one of “critical infrastructure” targeted. This led the government to heighten security on such as grid controls, fearing that interference or manipulation would have a cascading effect.
Transportation: Indian Railways and airlines were singled out as being targets. In reality, cyberunits observed only disruption of ancillary IT systems (e.g. websites) and not of train control systems.
Finance and Payments: Banking, stock market and fintech were high-priority attacks. Indeed, India even shut off foreign access to the National Stock Exchange and BSE portals on May 7 in advance to prevent risk. Bankers and payment systems (eg Punjab National Bank, Indian Overseas Bank) and payments infrastructure NPCI were also said to have been “hit” by hackers. On a precautionary basis, regulators kept trading platforms on isolated lines. Apart from temporary foreign blocks, live trading was not impacted.
Telecommunications and Internet: Major telecommunication operators (especially BSNL and Airtel) saw attempts at probes. Attackers once used the BIG-IP bug to breach the network of an ISP. RailTel (the national railway broadband) and India Post networks were also mentioned as targeted. Again, interruptions were brief; call and data services were mostly normal.
Others (Public Services): Education websites, healthcare infrastructure and local government e-services were also attacked. For example, school and university sites were defaced, while multiple municipal sites suffered DDoS. The attacks were symbolic in nature, consisting of minutes of downtime, but inspired fear about the viability of common services.
Overall, the attackers swept across critical industries on a broad scale, but security experts indicate that the actual damage was small. Most reported data compromises were found to be re-posted old leaks or trivial files. Web disruptions were usually brief (“often lasting barely five minutes” in one report).
Importantly, Indian officials confirmed that no confidential defense or missile information was breached, and major systems were left undisturbed. That is, while the noise of the cyber attack was tremendous, its real world impact seems to have been essentially psychological and disruptive, not destructive.
Geopolitical and Strategic Implications
Operation Sindoor’s cyber heritage underscores the manner in which today’s conflicts are dual in character. The offline attacks generated a hybrid warfare response in cyberspace: every missile that was launched was followed by a wave of hacker intrusions. As Radware put it, “the cyber battlefield is now just as active” as the battlefield. This episode illustrates that national security in this day and age extends to cyberspaces – enemies don’t merely want to destroy targets, but destroy public confidence and gain intelligence.
The campaign also revealed shifting allegiances among hacktivists. Groups with quite disparate missions (religious, nationalist, regional) found grounds to unite against India. Experts noted that Southeast Asian and Middle Eastern actors “coordinated efforts” after Sindoor. Iranian hackers (long committed to Middle East) even collaborated with Pakistani, showing broader geopolitical alignments. Indian nationalist hackers meanwhile made threats of retaliatory campaigns against Pakistan, hinting at a tit-for-tat cycle.
Cybersecurity professionals warn this can become a dangerous cycle: as retaliation follows on both sides, critical infrastructure (power grid, hospitals, online services) on both sides might get caught up in the crossfire. Sindoor incident has placed doubts on India’s readiness for the cyber world. Officials quickly bolstered defences – ranging from temporarily closing the stock markets to urging caution against fake news.
It also showed weaknesses: attackers used small breaches via old exploits, and many civilian gadgets (like Android phones via untrustworthy WhatsApp links) are still at risk. Authorities indicated that the main lesson learned here is: infrastructure critical needs to be hardened and monitored around the clock, as new wars sooner or later find their way to the virtual ground.
Operation Sindoor was a significant military effort, but also one that touched off one of biggest cyber wars that India has been a part of in recent history. While the overwhelming majority of the attacks were eliminated on schedule, the incident demonstrated how quickly a conflict region could ignite an international cyber battlefield – featuring state players, hacktivists and innocent bystanders. To India (and its rivals), the Sindoor campaign gives warning that coming battles will be fought not merely on battlefields but in computer data centers and networks.
