Cybersecurity experts have revealed a prolonged cyber espionage campaign targeting several Pakistani law enforcement bodies. This activity, attributed to suspected China and India-aligned threat actors, spanned from February 2024 to April 2026 and compromised critical police infrastructure.
Compromise of Police Infrastructure
The attacks primarily focused on network appliances and servers that manage sensitive data, including biometric records and police personnel files. Aleksandar Milenkoski of SentinelOne highlighted that the Balochistan Police’s web applications, which handle crucial data like criminal records, were among those compromised. The Complaint Management System (CMS), a key application used by police and citizens alike, was manipulated to deploy a malicious implant disguised as a routine update.
In addition to Balochistan, other Pakistani law enforcement agencies such as the Khyber Pakhtunkhwa Police and the Islamabad Police were also affected. Each of these organizations had their infrastructures breached, hinting at a coordinated effort to infiltrate Pakistan’s police networks.
Identifying the Threat Actors
Four distinct threat clusters were identified, employing various malware families like PlugX, ShadowPad, Cobalt Strike, and Remcos RAT. The latter has been associated with India-nexus threat actors, while PlugX and ShadowPad’s deployment points towards Chinese state-affiliated groups. Their attack patterns, observed between February and December 2024, suggest a broader campaign targeting not just law enforcement but also governmental and non-governmental entities across Asia and beyond.
The Remcos RAT attacks share similarities with the Mysterious Elephant group, known for its links to Indian adversaries. This group’s tactics include using decoy documents related to Pakistani law enforcement operations to lure targets into their trap.
Broader Implications and Future Outlook
The Cobalt Strike activities indicate a wide-reaching espionage effort by China-nexus actors, extending their reach to various sectors such as academia and telecommunications across multiple continents. The involvement of Tibetan Buddhist organizations in Taiwan underscores the geopolitical motivations behind these cyber intrusions.
An in-depth analysis of the Balochistan Police breach revealed the compromise of multiple assets, including two network appliances and several web servers hosting police applications. These breaches were part of the agency’s digitalization initiative, aimed at improving policing efficiency but inadvertently providing a channel for cyber threats.
This series of attacks highlights the strategic importance of law enforcement data for foreign intelligence operations. According to Milenkoski, such convergence of multiple espionage actors signifies the high value placed on internal security information held by the police. The compromise of citizen-facing applications, like the CMS, underscores the dual impact of these attacks—threatening both public security and law enforcement integrity.
As geopolitical tensions continue to influence cyber espionage activities, Pakistan’s law enforcement agencies must strengthen their cyber defenses to protect sensitive information from becoming a pawn in international cyber conflicts.
