State-backed hackers are turning the power grid into a new battlefront in geopolitical conflict and why the war never ends when the firing stops

On the morning of May 8th, 2025, as India's armed forces were executing Operation Sindoor deep inside Pakistani territory, a parallel offensive was already underway from the other side. This one was fought not with missiles, but through cyber intrusion.

Within hours of cross-border hostilities escalating, reconnaissance probes against India's power infrastructure surged from approximately 2,000 a day to over 45,000. The spike was not random noise or background chatter. It was intent rich, orchestrated and targeted. Its targets were not distribution utilities. The attackers had their sights on something more consequential: the grid. They wanted to severely disrupt India's transmission backbone, and the Regional Load Dispatch Centers (RLDCs) that govern the real-time balancing of electricity flow across Delhi, Maharashtra, Odisha and Telangana.

The intent was unambiguous. Bring down the grid at scale and turn the disruption into a narrative that could be broadcast across the web and social platforms. Create a visible, undeniable blow that no missile strike could replicate in its psychological reach. In this instance, India held the line. But the episode revealed the full anatomy of a threat that India's strategic community can no longer afford to consider as a secondary concern.

The architecture of vulnerability

To understand why India's power sector is so prized by adversarial entities, we need to understand what the grid actually represents.

The RLDCs and the National Load Dispatch Center (NLDC) are the central nervous system of India's electricity network. They do not merely transmit power. They make continuous and automated decisions about load balancing, frequency regulation and emergency response across a network serving over a billion people. These run on a combination of SCADA (Supervisory Control and Data Acquisition) and Energy Management Systems, many of which have legacy components that predate modern cybersecurity architecture. An attack on an RLDC is not analogous to a data breach. It is more closer to a sniper shot at an air traffic control tower.

India's power grid was not designed with cyberwar in mind. The operational technology (OT) environment that runs the physical infrastructure and the relays, breakers, transformers were all built for reliability and efficiency. The IT-OT convergence that has accelerated over the past decade, while improving operational efficiency, has dramatically expanded the attack surface. Every internet-connected sensor, every remote terminal unit that allows an engineer to monitor a substation from a laptop, is a potential point of entry.

China's game

While Pakistan's May 8th surge was opportunistic,  China's approach is more deliberate, and more persistent.

Chinese Advanced Persistent Threat (APT) groups have been systematically targeting Indian energy infrastructure since several years. The pattern is consistent with "pre-positioning" a term that denotes establishing persistent, dormant access within critical networks well before any intended use (for disruption).  

This doctrine is called "peacetime preparation for wartime use" within Chinese strategic circles. The logic is well etched in its patience: infiltrate the target network when geopolitical tensions are low, map its architecture, identify points of leverage, and lie dormant until the geopolitical calculus dials activation.

The geopolitical messaging dimension of this strategy is equally significant. Beijing does not need to actually turn off India's lights to achieve a strategic effect. The mere demonstration of capability to the right audience backed by an ambiguous signal through back channels that it could do so — functions as a form of coercive leverage during negotiations over the Line of Actual Control, trade disputes, or regional influence competition.  

This is why China's mandate for its threat actors, is explicitly designed around creating "a visible sense of panic and the ability to infiltrate critical infrastructure at will." The message is not tactical. It is strategic. It says: we are already inside, and we can determine when you will discover that.

Iran war lessons: Ceasefire means nothing

The most instructive recent case study for India's strategic planners comes not Pakistan or China. Iran has added a chapter to the playbook and it is imperative for India to read that and internalize the lessons. 

The Iran-linked threat actor Handala which operates under the direction of Iran's Ministry of Internal Security has provided a near-perfect model for how cyberwarfare functions in a hybrid conflict environment. During the most recent round of hostilities in the Middle East, Handala demonstrated two capabilities that should alarm every critical infrastructure operator in the Indo-Pacific.

First, it breached a medical technology firm in the United States and extracted the personal communications of a senior U.S. government official thereby demonstrating the reach of state-backed cyber operations well beyond any geographic theatre of conventional conflict. Second, it conducted a campaign against critical infrastructure operators across the Middle East and successfully breached the networks of at least three regional government entities in a matter of weeks.

But it is Handala's operational tempo after the ceasefire that holds the most consequential lesson for India. When the guns went quiet, Handala did not stand down. It scaled up. The group accelerated its attacks, began building a broader affiliate network, and initiated outreach to Russian and Chinese state-backed threat actors for collaborative operations.

The strategic implication is severe. A ceasefire in kinetic conflict does not equal a ceasefire in cyberspace. The end of conventional hostilities could mark an intensification of cyber operations, as threat actors who have been pre-positioning (during the conflict) now execute their campaigns with enhanced authority, resources and political capital.

For India, the lesson is direct. Operation Sindoor may have concluded. The cyber campaign that accompanied it has not.

The persistence problem

Cyberattacks do not observe the logic of treaties, ceasefires or diplomatic gestures. The threat actors unleashed during conflict are not easily recalled. They operate with a momentum of their own, amplified by several structural dynamics that make cessation extremely difficult.

Consider the information cascade: data harvested in one successful breach is recycled into future attacks. Credentials extracted from a compromised Powergrid engineer's workstation can be used months later in a credential-stuffing campaign against a different utility. Password patterns observed from one breach inform machine-learning models that accelerate the cracking of other systems. The data from yesterday's attack becomes the ammunition for tomorrow's.

Handala's operational calendar is illustrative of a broader pattern. Intelligence sources describe a consistent rhythm: pre-positioning attacks — designed to gain access without triggering alarms — concentrated in the second half of each month. Announcements of successful breaches in the first half of the following month. This cycle functions independently of any external political calendar. It will continue regardless of whether India and Pakistan are in a state of open hostility or diplomatic engagement.

Russian, North Korean and Chinese threat actors operate on similar cycles, year-round, undeterred by the formal status of bilateral relations. And critically, these actors collaborate. Cyber operations initiated by one group are routinely expanded by another. Iranian, Russian and Chinese threat actors have conducted joint campaigns — sharing toolsets, target intelligence and infrastructure. What begins as a Pakistani probe of India's power grid can quickly acquire the technical sophistication of a Chinese APT operation layered on top of it.

This cross-pollination of capabilities is perhaps the most underappreciated dimension of the threat India faces.

The strategic calculus for India

India's vulnerability is not by any means a failure of ambition or awareness. CERT-In, the National Critical Information Infrastructure Protection Centre (NCIIPC), and the sector-specific Computer Security Incident Response Teams have made measurable progress. The fact that India's grid held during the May 2025 surge was a major operational achievement.

However, holding the line in one engagement does not constitute a durable defence strategy. Three structural gaps demand urgent attention at the highest levels of government and industry.

The OT security deficit. India's power sector has invested heavily in modernizing its IT infrastructure, but operational technology which is the actual set of systems that control physical grid components remains significantly under protected. SCADA systems at many state utilities still run outdated operating systems. Remote access capabilities introduced for operational convenience have outpaced the security protocols governing them. An OT security overhaul, prioritizing the NLDC, RLDCs and the highest-voltage transmission corridors, must be treated as national security infrastructure investment.

Implementation of the Central Electricity Authority (CEA) (Cyber Security in Power Sector) Regulations, 2025 will go a long way in securing the grid across OT and IT. 

The intelligence-operations gap. The May 8th surge was detected and contained. But detection is not attribution, and attribution is not pre-emption. India has to develop a more aggressive posture on cyber threat intelligence sharing between NCIIPC, sector operators, CTI vendors and allied democracies. The adversaries India faces have already built collaborative intelligence networks. India's defenders must match that architecture.

The doctrinal gap. India does not yet have a publicly articulated cyber deterrence doctrine equivalent to its nuclear doctrine or its conventional military doctrine. The absence of such a framework creates ambiguity both for adversaries calculating what they can do without consequence, and India's own operators making real-time decisions about proportional response. A clearly communicated doctrine that defines red lines around critical infrastructure attacks, and specifies the spectrum of responses India reserves the right to deploy, would meaningfully raise the cost calculus for adversaries.

The growth and climate protection imperative

India is in the process of building one of the most ambitious clean energy and grid modernization programs in the world. The transition to renewables, the expansion of smart grids, the integration of distributed generation all of which increases the complexity of the infrastructure that must be defended.  

The adversaries targeting India's energy sovereignty understand this perfectly. They are not merely trying to disrupt today's grid. They are trying to establish persistent presence in tomorrow's.

The challenge for India's strategic leadership is to hold both realities simultaneously: to build the energy infrastructure that a growing, ambitious nation requires, and to harden that infrastructure.

The May 8th surge was a warning. The question is not whether the next attempt will come. It is whether India will be continue keeping the lights on during an adversarial cyber offensive.

Interested in learning more about what happened in cyberspace during Operation Sindoor? Download 2026 OT Security Threat Landscape Report.