Between May 7th and 10th, 2025, amidst escalating geopolitical tensions, Indian infrastructure faced a barrage of over 650 cyber attacks, according to a recent report. These attacks coincided with "Operation Sindoor," India's military counterterrorism response to the April 22nd Pahalgam terror attack. The cyber offensive, attributed to Pakistan-aligned threat actors, targeted critical sectors including defense, healthcare, telecom, and government, highlighting the increasing convergence of cyber and information warfare.

The attacks began even before Operation Sindoor, around April 17th, with spear-phishing emails designed to exploit public concerns regarding national security. These emails contained weaponized files disguised as official Indian government advisories, such as "Final_List_of_OGWs.xlam" and "Preventive_Measures_Sindoor.ppam." Forensic analysis revealed the use of Ares RAT, an advanced version of APT36's Crimson RAT malware, which established secret communication channels with command-and-control servers. Attackers cleverly spoofed legitimate Indian domains like nationaldefensecollege[.]com and zohidsindia[.]com in an attempt to bypass security protocols.

During the peak of the attacks between May 7th and 10th, Seqrite's telemetry recorded over 650 cyber incidents. These included Distributed Denial of Service (DDoS) attacks on major telecom providers like Jio and BSNL, defacements of state education portals, and credential harvesting campaigns targeting healthcare institutions such as AIIMS and Apollo Hospitals. Hacktivist collectives like #OpIndia and #OperationrSindoor coordinated their efforts via Telegram, claiming responsibility for leaking sensitive data from defense contractors and municipal databases. The attackers masked their origins by leveraging virtual private servers (VPS) located in Russia, Germany, and Indonesia.

The nature of these cyber attacks varied. Some were symbolic, such as website defacements, while others aimed to disrupt critical services and steal sensitive information. For instance, the official website of the Ministry of Defence (MoD) was hit by a DDoS attack lasting almost four hours. There were also claims that Pakistan-aligned actors paralyzed approximately 70% of India's power grid through cyber means, although this claim remains difficult to verify completely.

In response to these threats, Seqrite implemented countermeasures, including deploying 26 custom detection signatures across Seqrite XDR, integrating YARA rules into national threat intelligence platforms, providing real-time alerts for spoofed domains, and disseminating threat advisories to Indian entities. These measures were aimed at detecting and mitigating the impact of the cyber attacks.

The events underscore the growing sophistication and coordination of cyber attacks, particularly in the context of geopolitical tensions. The collaboration between nation-state actors and non-state hacktivists, combining technical intrusion with psychological operations, poses a significant challenge to cybersecurity. The attacks also revealed vulnerabilities in India's narrative control, highlighting the need for proactive communication and trust-building mechanisms in the public information space. While India's cyber defenses were able to thwart a large number of attacks, the incident underscores the need for constant vigilance and improvements in cybersecurity infrastructure and protocols.

The incident served as a wake-up call, emphasizing the importance of treating timely and accurate public communication as an integral component of national security. As cyber warfare evolves, a comprehensive approach that combines robust technical defenses with cognitive resilience and proactive communication strategies is essential to protect critical infrastructure and maintain public trust.