Hacking groups linked to China and India conducted parallel, unconnected espionage operations against Pakistani law enforcement over more than two years, according to research published Thursday.
The activity, in some cases breaching the exact same systems, ran between February 2024 and April 2026, cybersecurity firm SentinelOne said in a report. It centered on the Balochistan Police, the force responsible for the country’s southwestern province that has been the site of a long-running separatist insurgency.
The firm’s SentinelLabs research arm said police networks concentrate governments’ internal-security data in one place. The report states that the compromised systems held criminal records, biometric and fingerprint data, personnel files, hotel and tenant registrations linked to national identity records, and citizen complaints.
The researchers assess that the China-nexus interest was driven primarily by protecting Beijing’s nationals in Pakistan tied to the China-Pakistan Economic Corridor. The report cites a March 2024 suicide bombing and an October 2024 attack near Karachi’s airport as incidents affecting Chinese workers.
According to SentinelLabs, the intrusions reflect an effort to assess the threat independently rather than rely on Pakistani security guarantees. Its report assessed the India-linked activity was likely linked to the rivalry between the two countries.
Islamabad accuses New Delhi of backing the Baloch insurgency and describes the Balochistan Liberation Army as an “Indian proxy,” while India makes parallel accusations over Kashmir. Both governments deny the other’s claims. SentinelLabs said access to Balochistan Police data would provide visibility into that conflict.
Both Pakistan and India are alleged to have conducted cyber espionage campaigns against each other, with attacks targeting Indian government, academic and strategic institutions, as well as Pakistani government agencies and critical infrastructure operators.
Sentinel Labs’ report describes the compromise of the Balochistan Police Complaint Management System, a portal used by officers behind a login and by citizens checking the status of complaints. According to the researchers, a China-linked operator planted malware disguised as a portal update — an executable that displayed a fake “update complete” message while infecting the visitor’s device.
Because both police and members of the public use the site, SentinelLabs said the tampered portal exposed both groups. The researchers said forensic traces in the code, including Chinese-language log strings and developer artifacts, indicated a Chinese-speaking author.
Rather than name specific groups, SentinelLabs sorted the activity into clusters by toolset. Backdoors shared among Chinese groups, including PlugX and ShadowPad, anchored the China-nexus assessments, alongside a victim pattern spanning Asian governments and, in one case, Tibetan organizations in Taiwan.
The India-nexus intrusions were tied with lower confidence to an actor the researchers track as TAG-179, overlapping with clusters others call Bitter and Mysterious Elephant, partly on the basis of a lure document themed around the repatriation of undocumented foreigners.
The researchers noted that as Pakistan centralizes and digitizes its policing, supported in part by European modernization programs, it will continue to concentrate high-value data that adversaries may target.
Recorded Future
Intelligence Cloud.
