Hacktivist groups began cyberattacks on India and Pakistan even before Operation Sindoor got under way on May 7, these including DDoS or Distributed Denial of Service attacks, according to a report purportedly from Mandiant, a cybersecurity firm in the Google Cloud division.
DDoS attacks are those in which a service, like the ability to visit a website or use a network, is denied through deliberate congestion or by exhausting an application’s resources.
The report, “India-Pakistan hacktivist insights”, updated till May 9, says 54 groups have been “observed making a declaration of attacks on either India or Pakistan”. Of them, 12 were pro-India and the rest, pro-Pakistan, it adds.
On April 25, “pro-Palestine hacktivist group, Ghosts of Gaza posted ‘target India loading’ in one (sic) the first declarations of attacks on India since April 22” (the day of the Pahalgam massacre).
On the same day, Dex404, a “pro-Indian hacktivist group”, claimed it was “commencing ‘operations payback’ in one of the first declared pro-Indian hacktivist activities”.
On April 27, Anonpioneers “targeted the website of Bharat electronics with DDoS attacks”.
Hacktivism is a way of being heard by millions, and the tactic is not restricted to any one end of the political spectrum.
But before we proceed with the story, a few essential flags:
- The Telegraph tried to download a copy of the report from Mandiant’s website (mandiant.com) but was unable to find it.
- There is a mention of the hacktivist group Anonpioneers in the report but it is missing from the list of 42 “pro-Pakistan” hacktivist groups in a table included at the end of the report.
- Unlike most intelligence reports, this one contains a few grammatical errors, too.
- The report says that on April 27, Akatsuki Cyber Team, a “pro-Palestine hacktivist group”, declared it would start an “OpIndia” while claiming “the United States is responsible for any tensions between India and Pakistan”.
Hacktivists often make claims and use social media platforms to share the status of their attacks. On April 28, IndoHaxSec said it would support pro-Pakistan hacktivists while threatening India with large-scale cyber attacks.
By the time Mandiant put together its report, the group had not posted. On May 7, Indian hacktivists “continued to target Pakistan and share their attack on both Telegram and X”.
From May 6 to 8, government and public websites in India were targeted the most (28.4 per cent). Other target websites and networks included defence and security, commercial, healthcare and medical, educational, finance and banking, legal and judiciary, transport and logistics. The focus was on all aspects of “each country”.
There has also been a “greater focus” on “defacement attacks” compared with other “regional hacktivist events”, such as those related to the Russia-Ukraine conflict.
When it comes to DDoS attacks, the MHDDoS attack tool, available (till the time this report was published) on GitHub, was “possibly” used by Team Insane PK.
Sylhet Gang-SG possibly used the Cypher or Elite botnet or a network of computers infected with malware that are controlled by a bot herder (the person who operates the botnet infrastructure).
Website defacement was conducted, too, before Operation Sindoor began. The technique involves malicious parties penetrating a website and replacing content with their own messages. Team Insane PK did this on the website of India’s Army College of Nursing.
Team Azrael, which has been inactive since December 2024, returned to activity on its Telegram page on April 27 and claimed data breaches against Indian networks.
The PDF documents of the alleged data breaches that the hacktivist group shared were, in fact, openly available on the ministry of external affairs website. It is a playbook tactic applied by hacktivist groups that often lack the capability to actually conduct a hack-and-leak operation.
The wave of claimed cyberattacks on India has also been addressed in a recent report by the security firm CloudSEK, which said “most of these breaches were exaggerated or fake — ranging from recycled data leaks to defacements that left no real impact”.
The DDoS attacks caused “negligible” disruption, “potentially lasting less than five minutes, suggesting the attacks had no significant or sustained impact on the availability of these critical government services”, the CloudSEK report said.
The Kosovo conflict of 1998-99 was among the first to turn cyberspace into a war zone with the use of online discussion groups and hacking attacks.
In June 1998, a hacktivist group placed an image of a mushroom cloud on the website of the Bhabha Atomic Research Centre, weeks after India had conducted a series of nuclear tests in Pokhran.
Imagery demand
US space tech company Maxar Technologies saw a spike in orders for high-resolution satellite imagery of Pahalgam and its surrounding areas between February 2 and 22, receiving at least 12 requests, according to ThePrint on May 9. Maxar, on its website, claims to be “a partner to innovative businesses and 50 governments”.
The report said the requests for such images started appearing while having aPakistan-linked firm, Business Systems International (BSI), as a client. But there is no evidence directly linking BSI to the Pahalgam image orders.
Maxar has denied the report. It told India Today TV: “Our records indicate that BSI has neither placed any tasking orders of Pahalgam or the surrounding areas this year, nor have they ordered any of the imagery of those areas through our archive.”
Soon after the report, BSI was no longer listed as a partner on the website.
