China, India-Linked Hackers Both Targeted Same Pakistani Police Force

New research from SentinelOne shows that cyberespionage groups linked to both China and India spent more than two years quietly breaking into Pakistani law enforcement networks, with Balochistan Police getting hit from both sides of the region’s rivalries.

According to the security firm’s SentinelLabs threat intelligence unit, the intrusions ran from February 2024 through April 2026 and targeted several Pakistani police organizations, with Balochistan Police absorbing the bulk of the activity. The attackers reached servers tied to biometric databases, criminal case files, personnel records, and citizen-facing systems.

The researchers grouped the intrusions into four clusters based on the malware and infrastructure involved: PlugX, ShadowPad, Cobalt Strike, and Remcos. They cautioned that clusters built on shared or commodity malware — unlike the Remcos activity, tied to a single tracked actor — may each involve more than one operator.

What stands out is the presence of China-linked cyberspies inside a police force belonging to one of Beijing’s closest regional partners. SentinelLabs frames the likely motive as self-interest.

Specifically, Chinese nationals working on Belt and Road projects in Pakistan have been repeatedly targeted in attacks tied to Baloch separatist militants, and Chinese officials have openly criticized Islamabad’s ability to protect them. Gaining direct access to Pakistani police data would allow Beijing to evaluate the threat on its own.

On the other hand, the India-linked activity aligns with a dispute that Islamabad and New Delhi have had for years. Pakistan has long accused India of backing Baloch militants, which India has denied, and New Delhi has its own interest in whatever Balochistan Police’s networks reveal about Islamabad’s handling of that insurgency.

Advertisement. Scroll to continue reading.

The researchers also found malicious files disguised as software updates planted directly on Balochistan Police’s public Complaint Management System, the portal residents use to file and track complaints. The fake update prompt would have hit anyone using the site, including officers and ordinary citizens.

SentinelLabs linked the intrusion to a Chinese-speaking developer based on shared code patterns and artifacts found in related malware samples.

Related: RATs in the Machine: Inside a Pakistan-Linked Three-Pronged Cyber Assault on India

Related: Armored Likho APT Targeting Government, Electric Power Entities

Related: China-Linked APT Expands Arsenal With New ‘Leash’ Backdoors

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *