Parallel Espionage: Chinese and Indian APTs Target Pakistani Law Enforcement Data
A new report from **SentinelOne** reveals that state-sponsored hacking groups from China and India conducted separate, simultaneous espionage campaigns against Pakistani law enforcement for over two years. These operations, in some instances compromising the exact same systems, targeted sensitive data from the **Balochistan Police**, highlighting the escalating cyber conflict in the region.
Cybersecurity firm **SentinelOne** has uncovered a sophisticated and prolonged espionage campaign targeting Pakistani law enforcement, specifically the **Balochistan Police**. The research, published by **SentinelLabs**, details how distinct hacking groups linked to China and India operated in parallel, with some intrusions affecting the same systems between February 2024 and April 2026.
### High-Value Targets: Police Networks as Data Hubs
Police networks are a goldmine for intelligence agencies, centralizing vast amounts of sensitive internal-security data. The compromised systems held a trove of critical information, including criminal records, biometric and fingerprint data, personnel files, hotel and tenant registrations linked to national identity records, and citizen complaints.
### China's Focus: Protecting CPEC Interests
**SentinelLabs** assesses that China's interest was primarily driven by the need to protect its nationals and investments tied to the **China-Pakistan Economic Corridor (CPEC)**. The report cites incidents such as a March 2024 suicide bombing and an October 2024 attack near Karachi's airport, which impacted Chinese workers. The intrusions suggest an independent assessment of threats, rather than sole reliance on Pakistani security guarantees.
### India's Motive: Regional Rivalry and Balochistan Conflict
Conversely, the India-linked activity is believed to be rooted in the long-standing rivalry between the two nations. Access to **Balochistan Police** data would offer significant visibility into the Baloch insurgency, which Islamabad alleges is backed by New Delhi. Both governments routinely deny each other's accusations regarding support for separatists in Balochistan and Kashmir.
### Attack Vector: Malicious Updates to Complaint Management System
A key vector for the China-linked operations involved the compromise of the **Balochistan Police Complaint Management System**. This portal, used by both officers and citizens, was reportedly infected with malware disguised as a portal update. The executable displayed a fake "update complete" message while covertly infecting the visitor's device. Forensic traces, including Chinese-language log strings and developer artifacts, pointed to a Chinese-speaking author.
### Attributing the Threat Actors
Rather than naming specific groups, **SentinelLabs** categorized the activity into clusters based on their toolsets. The China-nexus operations were anchored by backdoors commonly shared among Chinese groups, such as **PlugX** and **ShadowPad**. Victim patterns for these groups also spanned other Asian governments and, notably, Tibetan organizations in Taiwan.
The India-nexus intrusions were linked with lower confidence to an actor tracked by **SentinelLabs** as **TAG-179**, showing overlaps with clusters known as **Bitter** and **Mysterious Elephant**. This attribution was partly based on a lure document themed around the repatriation of undocumented foreigners.
### The Future of Digital Policing and Espionage
As Pakistan continues to centralize and digitize its policing efforts, often supported by European modernization programs, it inadvertently creates more concentrated, high-value data targets for adversaries. This trend underscores the critical need for robust cybersecurity measures within governmental and law enforcement agencies globally to counter persistent state-sponsored espionage threats.
