Exchange of gunfire across LoC mirrors inbound cyberattack volume in India; all signs point to state-backed hybrid warfare

Two weeks after the Pahalgam attack heightened tensions between India and Pakistan, India's cyberspace and critical infrastructure are facing increased targeting from cyber proxies operating via Pakistani IPs. With a growing number of proxy and state-affiliated APT actors entering the arena, these attacks are expected to escalate in both scale and the range of targeted entities.

Types of attacks

Attacks on Indian digital assets from across the border can be classified into 3 categories viz., reconnaissance attacks, attacks on websites and attacks on defense and critical information infrastructure. Security telemetry data gathered from the networks connected to our honeypot infrastructure in India reveals a 750 percent rise in inbound attacks from Pakistani cyber proxies. While most of these attacks can be credibly linked to such proxies we have also observed a rise in attacks emerging from IPs linked to unsecured digital infrastructure in other countries.

Cyberattacks directly linked to cross-LoC skirmishes

On analyzing the cyber attack load on Indian cyber space, an interesting datapoint\correlation was observed by our researchers. In all, across two weeks since the attack, there have been 11 days of escalation in terms of the exchange of fire across the Line of Control covering multiple ceasefire violations. Pakistan intensified heavy artillery fire on April 27 a date that also holds significance in terms of the observed number of cyber incursion attempts logged on our honeypots.

To cut a long story short, we can speculate with a high degree of confidence that the leadership that is behind the increasing number of ceasefire violations in Pakistan is the same that is guiding or rather directing the Pakistani proxies that are targeting Indian infrastructure in cyberspace.

Initial Spike (24–29 April 2025):

• Firing incidents rose from 3 to 13 between April 24 and April 29.

• Corresponding cyber intrusion attempts increased dramatically from 988 to 26,001.

• This indicates a parallel escalation in both physical and cyber aggression.

Peak on 29 April 2025:

• Highest number of firing incidents (13).

• Cyber intrusions also peaked at 26,001, suggesting a coordinated effort.

Drop on 1 May 2025:

• Firing incidents dropped to 6, and cyber intrusions dropped significantly to 4,382.

• Indicates a momentary de-escalation or tactical pause.

Renewed Activity (2–4 May 2025):

• Firing rose again to 11 on May 3.

• Cyber intrusion attempts increased steadily from 11,519 to 17,103 on May 3, with a slight dip to 16,662 on May 4.

• The red line shows firing incidents, while the blue line shows cyber intrusion attempts.

• Notice how the spikes and dips in both metrics align closely—especially around April 29, when both metrics peak.

• This further reinforces the strong positive correlation (≈ 0.94) observed in the data.

• Higher frequency of cross-border firings coincides with larger waves of cyber attacks.

• This pattern suggests coordinated hybrid warfare tactics, likely involving both kinetic and cyber operations aimed at overwhelming Indian defense and intelligence systems.

The Pearson correlation coefficient between firing incidents and cyber intrusion attempts is approximately 0.94.

A correlation coefficient of 0.94 indicates a very strong positive linear relationship between two variables. This means that as one variable increases, the other tends to increase as well, and the relationship is strong, suggesting a high degree of association. 

Let’s look at this in a bit more detail: 

Magnitude:

The absolute value of the correlation coefficient (0.9 in this case) indicates the strength of the relationship. A value closer to 1 (either positive or negative) signifies a stronger relationship.

Direction (Positive or Negative):

The sign of the correlation coefficient (positive in this case) indicates the direction of the relationship. A positive correlation means that as one variable increases, the other tends to increase, while a negative correlation means that as one variable increases, the other tends to decrease.

Linearity:

Correlation coefficients specifically measure linear relationships. A correlation coefficient of 0.9 suggests a strong linear relationship, meaning that the variables tend to move together in a straight line.

Interpretation:

This indicates a very strong positive correlation, meaning that as cross-border firing incidents increase, cyber intrusion attempts also tend to rise significantly. This is a clear sign of a hybrid warfare in progress.

Background on Pakistani proxies

As per our research, Pakistani proxies are arranged in three rings.

The outermost ring consists of groups like Insane PK, ArchNMe, and a few obscure groups that are behind most of the web defacing attacks mostly of nuisance value. These groups are tasked with creating a smoke screen to deviate attention away from actual targets.

The middle ring consists of groups such as Pakdefn, Xploiter and others who target critical infrastructure excluding those connected to defense and aerospace sectors.

The inner ring: consists of groups such as Transparent Tribe and its affiliates. This group reports to a wing of Pakistani armed forces that is based in Karachi. Transparent Tribe is known to use Golang-based tools to develop a multi-infection kit to exfiltrate data. These kits are deployed via chat platforms, phishing campaigns and spurious websites. Surprisingly, this group has been tracked easily across at least 17 instances by our researchers in 2024. The IP address in multiple attacks were traced back to Karachi and at least 7 kits isolated by our researchers pointed to not just a regional time zone but also the imprint of this threat actor. Further, this group has also been relying on poisoning common file formats to deliver its execution kits to the victim.