Recent findings by SentinelOne reveal that cyberespionage groups connected to China and India have covertly infiltrated Pakistani law enforcement networks over a span of more than two years. The Balochistan Police, in particular, experienced significant cyber intrusions from these regional adversaries.
Prolonged Cyber Intrusions
According to SentinelLabs, the threat intelligence division of SentinelOne, these cyber intrusions occurred from February 2024 to April 2026. Multiple law enforcement agencies in Pakistan were targeted, with Balochistan Police facing the brunt of the attacks. The hackers accessed servers containing sensitive information such as biometric data, criminal records, personnel details, and public-facing systems.
The research identified four main clusters of activity based on the malware and infrastructure used: PlugX, ShadowPad, Cobalt Strike, and Remcos. It is noted that while some clusters involved common malware, others like Remcos were attributed to a specific group.
Motivations Behind the Attacks
Notably, the involvement of China-linked cyber operatives within a police entity of a close regional ally like Pakistan is intriguing. SentinelLabs suggests that these actions are driven by China’s self-interest. Chinese nationals working on Belt and Road Initiative projects in Pakistan have faced persistent threats from Baloch separatist militants, prompting criticism from China regarding Pakistan’s security measures. By accessing Pakistani police data, China aims to independently assess these threats.
Conversely, the activities linked to India correspond with the longstanding tensions between Islamabad and New Delhi. Pakistan has accused India of supporting Baloch militants, a claim India has consistently denied. India’s interest lies in uncovering how Pakistan manages the insurgency, as revealed through Balochistan Police’s networks.
Malicious Software Updates
The research also uncovered malicious software disguised as updates planted on Balochistan Police’s public Complaint Management System. This system allows residents to file and monitor complaints. The fake updates could have affected anyone using the site, including police officers and ordinary citizens.
SentinelLabs attributed the intrusion to a Chinese-speaking developer, based on shared code patterns and artifacts found in the malware samples associated with the attacks.
These developments underscore the complex geopolitical dynamics at play in South Asia, highlighting the intersection of cybersecurity and international relations.
