Cybersecurity researchers have disclosed a sustained cyber espionage campaign targeting multiple Pakistani law enforcement organizations, with activity attributed to suspected China-aligned and India-aligned threat actors spanning from February 2024 through April 2026.

According to the disclosure, one of the primary targets was the Balochistan Police, where attackers compromised servers hosting web applications used to manage police and citizen data. The affected systems reportedly included databases and portals tied to criminal records and other sensitive law enforcement information.

The campaign is notable for involving multiple distinct threat actor groups operating against the same set of targets over an extended period, suggesting sustained intelligence interest in Pakistani law enforcement infrastructure rather than a single opportunistic intrusion. The overlap of China-aligned and India-aligned activity against the same infrastructure points to a contested espionage environment where separate state-linked or state-associated actors independently sought access to the same systems.

Why It Matters

Law enforcement portals are high-value targets because they often aggregate sensitive citizen data, including criminal histories, identity records, and case files. A compromise of this kind of infrastructure can expose:

  • Personally identifiable information on citizens and suspects
  • Details of ongoing criminal investigations
  • Internal law enforcement communications and operational data
  • Credentials that could enable lateral movement into other government networks

Multi-group targeting of the same public-sector infrastructure also raises the risk of overlapping or conflicting tradecraft, where evidence from one intrusion could complicate attribution and incident response for defenders investigating a separate breach.

What Defenders Should Do

Organizations operating public-facing government or law enforcement web applications should treat internet-exposed portals handling sensitive citizen data as high-priority assets for monitoring. Recommended steps include auditing external-facing servers for unauthorized access, reviewing logs for anomalous activity dating back over extended periods, enforcing strict access controls on databases containing criminal and citizen records, and segmenting sensitive law enforcement systems from general government network infrastructure.

Further technical details on the specific intrusion methods, malware, and infrastructure used by the identified threat groups were not fully specified in initial disclosures.