Back to Insights
Threats5 min read11 July 2026

Two Spy Campaigns, One Target: How Pakistani Police Networks Spent Two Years Under Foreign Surveillance

Researchers identified two separate hacking operations, one linked to China and one to India, that both quietly penetrated Pakistani law enforcement systems between February 2024 and April 2026.

t2s
train2secure NewsdeskSecurity awareness team
A photoreal editorial scene showing a dimly lit server room inside a government building, rows of blinking network hardw

Pakistani law enforcement networks were breached in a sustained, two-front spying operation running from February 2024 to April 2026, with Balochistan Police servers holding criminal records and citizen data among the confirmed victims.

The finding is striking not just because of what was taken, but because of who apparently took it. Two distinct groups of hackers, one assessed as China-aligned and one as India-aligned, appear to have independently selected the same Pakistani targets. They did not share tools. They did not coordinate. They simply arrived at the same conclusion: Pakistani police databases were worth the effort.

What Was Compromised

Balochistan Police runs web applications that officers use to search criminal records, manage case files, and access information on citizens. The attackers reached the servers that host those applications. That kind of access hands a foreign intelligence service exactly the data it wants: who police are watching, who they have arrested, and what they know about the population in a strategically sensitive province.

Researchers have not published a complete inventory of exfiltrated data. That restraint is typical when the victim is a sovereign government body and the investigation remains live. What is confirmed is that the access was persistent, lasting months, not days.

Two Groups, Two Governments, One Victim Pool

The China-aligned cluster fits the fingerprints of activity previously associated with crews like Mustang Panda, a label CrowdStrike applies to a long-running Chinese state-linked threat actor with a history of targeting governments across Southeast and South Asia. The India-aligned cluster overlaps with behaviour patterns attributed to groups tracked under names like SideWinder and Patchwork, both of which have run espionage operations across the subcontinent for years.

Neither Beijing nor New Delhi has claimed the activity. Pakistan has not formally accused either government. Researchers place their attribution at medium confidence, the standard intelligence caveat meaning the evidence is consistent with the conclusion but falls short of proof beyond doubt. Overlapping victim lists are suggestive. They are not the same as shared infrastructure, shared malware, or a confession.

What makes the overlap analytically interesting is the geopolitical framing. China and India are rivals with competing interests in Pakistan and the broader region. Both, apparently, decided Pakistani police records were a priority intelligence target, and both sustained that interest across roughly two years.

How the Hackers Got In

The techniques used match the established playbooks of both groups. Spear-phishing sits at the top of that list. A spear-phish is not a generic spam email. It is a carefully crafted message aimed at one specific person, designed to look legitimate enough that the recipient opens an attachment or clicks a link without hesitation. The Verizon 2024 Data Breach Investigations Report found that phishing was involved in 32 percent of all breaches, and that figure has held stubbornly high for years precisely because the technique works against prepared and unprepared organisations alike.

Exploiting internet-facing web applications that have not received security patches is the second vector researchers describe. Unpatched public-facing systems are a persistent entry point across virtually every category of government breach. When a vulnerability sits unpatched for weeks or months, it does not go unnoticed by groups that scan the internet continuously for exactly that kind of opening.

This is where training intersects with prevention in a meaningful way. Spear-phishing succeeds because the recipient does not recognise the social engineering. Security awareness programmes that teach staff to interrogate unexpected emails, verify sender identity through a second channel, and report suspicious messages before clicking anything can interrupt the attack at the earliest possible stage. Organisations that run regular phishing simulations and awareness training build the human detection layer that technical controls alone cannot replicate.

Which Controls Failed

Three failure categories stand out in this incident.

First, phishing resilience. If spear-phishing was the initial access vector, then the employees who received those emails did not identify them as threats. That is a training and awareness gap, not a technology gap. A firewall cannot read intent. A well-trained officer can learn to question an unexpected email asking them to open an attachment, even if the sender appears familiar.

Second, patch management. Internet-facing applications that have not been updated against known vulnerabilities represent a standing invitation. NIST guidance under SP 800-40 on patch and vulnerability management is explicit: critical and high-severity patches for internet-facing systems should be applied within defined, short windows. When those windows are missed, the exposure compounds every day the patch sits undeployed.

Third, network segmentation and monitoring. A persistent intrusion running for two years suggests that either detection tooling was absent, or that alerts were not acted upon. Effective security operations centre monitoring, combined with segmentation that limits what an attacker can reach once inside, should reduce both dwell time and the volume of data accessible from a single foothold. Neither appears to have constrained these attackers significantly.

For defenders reviewing their own environments, the relevant questions are direct. How quickly are internet-facing applications patched after a vulnerability is published? Do staff know how to identify and report a spear-phishing attempt, and have they practised that skill in the last 12 months? Does the network architecture limit what an attacker can see from a compromised web server? Organizations that want to benchmark their current posture against recognised standards can review the security frameworks and controls mapped at Train2Secure.

What Comes Next

Attribution in cases like this is rarely static. Researchers will publish indicators of compromise over the coming weeks. Pakistani authorities may issue a formal response. The picture could sharpen or shift as more forensic evidence surfaces.

For security teams outside Pakistan, the immediate takeaway is simpler. Two capable, persistent adversaries both found Pakistani police networks worth targeting for at least two years. The techniques they used, spear-phishing and unpatched application exploitation, are not exotic. They are the same techniques that show up in breach reports across every sector, every quarter. The defences that work against nation-state actors are the same defences that work against criminal groups: trained people, patched systems, and networks built to slow down an attacker who gets past the perimeter.

Pricing and deployment options for awareness training programmes are available for teams at any size, from small agencies to large government departments.

How spear-phishing campaigns like this one could be disrupted earlier

  • Run regular simulated spear-phishing exercises so staff build the habit of questioning unexpected emails before clicking anything.
  • Establish a clear, low-friction process for reporting suspicious messages so security teams get early warning when a campaign is active.
  • Combine awareness training with a patch management schedule that prioritises internet-facing systems, cutting off the two most common entry points used in this campaign.

Train2Secure delivers security awareness programmes that build exactly this kind of human detection layer, with simulations and reporting tools built for government and enterprise teams.

Start free, no card required

Frequently asked questions

How did the hackers access Pakistani police systems?

Researchers identified two primary techniques: spear-phishing emails targeted at specific individuals inside the organisations, and exploitation of internet-facing web applications that had not been patched against known vulnerabilities.

Why would both China-aligned and India-aligned groups target the same Pakistani police networks?

Balochistan is a strategically sensitive province for both countries for different reasons. Criminal records, citizen data, and internal police intelligence represent high-value espionage targets for any foreign service trying to understand Pakistani security operations or monitor specific individuals.

How confident are researchers in the attribution to China and India?

Attribution sits at medium confidence. The tooling and targeting patterns are consistent with previously documented Chinese and Indian state-linked groups, but overlapping victim selection is not the same as definitive proof. Neither government has been formally accused by Pakistan.

What can government agencies do to reduce the risk of similar intrusions?

Three controls matter most: applying patches to internet-facing applications within defined windows, running regular spear-phishing simulations and awareness training so staff can identify and report suspicious emails, and implementing network segmentation so a breach of one system does not grant access to all data.

Ready to Reduce Your Human Cyber Risk?

Sign up and start training your team in minutes. No sales calls, no demos — just pick a plan and go. Phishing simulations, video courses, and certificates from day one.

train2secure analytics dashboard showing training completion stats and user progress