Most Claims About Pakistan's Cyber Attack on India Overstated

CloudSEK, a leading predictive cybersecurity firm, has released a hard-hitting report titled “Brief Disruptions, Bold Claims: The Tactical Reality Behind the India-Pakistan Hacktivist Surge,” exposing the inflated narratives surrounding a recent wave of alleged cyberattacks on Indian digital infrastructure.

Drawing on in-depth threat intelligence and forensic analysis, the report dismantles overblown claims made by hacktivist groups, revealing that most so-called breaches had little to no real impact on India’s government, education, and critical infrastructure sectors.

Despite headlines touting large-scale disruption, CloudSEK’s findings point to a pattern of recycled data, brief website outages, and tactical theatrics designed to mislead and alarm.

Key Findings: Hacktivist Claims vs. Reality

The report details how groups such as Nation Of Saviors, KAL EGY 319, SYLHET GANG-SG, Lyc Lưng Đặc Biệt Quân Đội Điện Tứ, and Vulture have collectively claimed over 100 successful breaches in May 2025, targeting high-profile entities like the Prime Minister’s Office, the Election Commission of India, and the National Informatics Centre (NIC).

However, CloudSEK’s investigation exposes these claims as largely exaggerated:

• NIC Breach Overblown: SYLHET GANG-SG and DieNet claimed to have exfiltrated 247 GB of sensitive NIC data, but analysis of a 1.5 GB sample showed only publicly available marketing materials, undermining the narrative of a critical breach.
• Repackaged ECI Data: Team Azrael-Angel Of Death’s claim of leaking 1 million citizen records from the Election Commission was debunked as recycled data from a 2023 leak, not a fresh compromise.
• Minimal DDoS Impact: Coordinated DDoS attacks on government websites, including the PMO and key ministries, caused negligible downtime—often less than five minutes—despite being touted as major disruptions.
• KAL EGY 319’s Defacement Campaign: The group’s claim of defacing 40 educational and medical websites was found to have no lasting impact, with all targeted sites functioning normally.
• Indian Army Data Leak Debunked: Claims of leaking sensitive Indian Army personnel data were invalidated due to inconsistencies in the dataset, suggesting fabrication. (For More Information, Check Full Report)

These findings highlight a pattern of hacktivist groups leveraging low-impact tools and tactics, such as brief outages and repackaged data, to amplify their visibility through alarming headlines.

CloudSEK advises organisations to maintain basic DDoS hygiene to mitigate these low-level threats effectively.

The Real Threat: APT36’s Crimson RAT Campaign

While hacktivist disruptions remain superficial, CloudSEK’s report underscores a more sophisticated threat from APT36, a Pakistan-linked espionage group also known as Transparent Tribe.

APT36 has exploited the emotional aftermath of the April 2025 Pahalgam terror attack to deploy Crimson RAT, a .NET-based Remote Access Trojan, targeting Indian government and defense networks.

The campaign uses phishing emails with malicious PowerPoint and PDF attachments, disguised as official reports, to deliver the malware. These attacks leverage spoofed domains and emotionally charged lures to steal credentials and exfiltrate sensitive data.

Crimson RAT’s capabilities include screenshot capture, file access, remote command execution, and persistent system access, making it a potent tool for espionage. Despite its sophistication, CloudSEK notes that APT36’s tactics have remained largely unchanged for six years, posing a limited threat to organizations with robust security measures.

Social Media Amplification of Unverified Claims

The report also highlights the role of Pakistan-linked social media accounts, such as P@kistanCyberForce and CyberLegendX (@cyber4982), in amplifying unverified cyberattack claims.

These accounts have targeted entities like Bharti Airtel and the Manohar Parrikar Institute for Defence Studies, often framing their actions as retaliation for geopolitical events like Operation Sindoor.

CloudSEK’s analysis suggests these claims are part of a broader narrative to project cyber prowess, despite lacking evidence of significant impact.

“As hacktivist campaigns continue to generate noise, our report separates fact from fiction, empowering organisations to focus on genuine threats like APT36’s targeted espionage. By understanding the tactics behind these disruptions, businesses and government entities can prioritise proactive defenses and maintain operational continuity,” Pagilla Manohar Reddy, CloudSEK researcher, said.