Suspected state-linked cyber actors from China and India independently targeted the same Pakistani law enforcement agency over a span of more than two years, according to a new cybersecurity report by SentinelLABS.
The findings highlight the growing strategic importance of Pakistan’s security infrastructure in regional cyber espionage.
The report, published on Thursday, said four separate cyber campaigns between February 2024 and April 2026 infiltrated multiple Pakistani law enforcement systems, with the Balochistan Police emerging as the primary target.
Balochistan Police among key targets
According to SentinelLABS, all four cyber campaigns reached the Balochistan Police, while additional intrusions also affected the Khyber Pakhtunkhwa Police, Islamabad Police, and the Punjab Safe Cities Authority.
Researchers said the fact that multiple suspected state-linked groups independently targeted the same organisation underscores its strategic intelligence value.
“The convergence itself is a signal of target value,” the report noted, referring to the overlapping cyberespionage operations.
Multiple police systems reportedly accessed
The investigation found that attackers gained varying levels of access to several digital platforms used by Balochistan Police.
The compromised systems reportedly included personnel records, criminal case databases, stolen vehicle tracking, landlord-tenant registration, hotel guest registration linked to national identity records, fingerprint-based criminal records, citizen complaint portals and First Information Report (FIR) management systems.
However, SentinelLABS said it found no confirmed evidence that sensitive data from most of these systems was exfiltrated or stolen.
Citizen complaint portal saw deepest compromise
Researchers identified the Complaint Management System (CMS) as the most seriously compromised platform.
According to the report, attackers obtained write access to the live portal and uploaded two malware files disguised as a legitimate software update. One of the files displayed a message reading, “Update Complete! Please refresh the page,” in an apparent attempt to convince users that the update was genuine.
The malware was designed to potentially compromise both police personnel accessing the system and members of the public submitting complaints online.
Even so, researchers said they were unable to recover the malware’s final payload and found no confirmed evidence that the malicious software successfully infected users or resulted in data theft.
Attribution points to China- and India-linked groups
SentinelLABS attributed three of the four cyber campaigns to suspected China-linked actors with varying levels of confidence. These assessments were based on malware families, infrastructure analysis, developer fingerprints and historical targeting patterns.
A fourth campaign was assessed as likely linked to an India-aligned threat group identified by cybersecurity firm Recorded Future as TAG-179, although researchers noted that attribution in cyberspace remains inherently complex and should be interpreted with caution.
Why Balochistan matters
The report suggests Balochistan’s strategic importance may explain why multiple cyberespionage groups focused on the province.
For China, the region is central to the China-Pakistan Economic Corridor (CPEC), where the security of Chinese nationals and infrastructure projects remains a key concern.
The report also noted Pakistan’s long-standing allegations that India supports separatist groups operating in Balochistan—claims India has consistently denied. Researchers said intelligence collected from police networks could provide valuable operational insights into the region’s evolving security environment.
Several questions remain unanswered
Despite documenting extensive network access, SentinelLABS said several aspects of the investigation remain unresolved.
Researchers were unable to retrieve the malware’s second-stage payload, determine whether any devices were successfully infected, or confirm whether confidential information was extracted from police systems.
The report also noted that the suspected India-linked campaign remained active as recently as April 2026, indicating that cyber threats targeting regional security agencies continue to evolve.


























