Background
Monitoring data from the Global Threat Hunting System of NSFOCUS Fuying Lab shows that since the terrorist attack on tourists in Pahargam Town, Indian-controlled Kashmir on April 22, 2025 (killing 26 people), there has been a significant surge in DDoS attacks between India and Pakistan. This escalation of cyber confrontation is highly consistent with the evolving real conflict between the two countries.
As a historical legacy since the partition of India and Pakistan in 1947, the Kashmir dispute continues to cause regional tensions. In this incident, India accused Pakistan of supporting cross-border terrorism (denied by Pakistan), which immediately triggered a series of confrontational measures: India implemented diplomatic expulsion and border control on April 23, 2025; Pakistan took countermeasures such as airspace closure and trade suspension on April 24; multiple rounds of military conflicts broke out between the two sides along the Line of Actual Control from April 25 to 27, and the fighting once escalated into an exchange of heavy weapons; both sides continued to take blockade measures from May 2 to 5. The situation is relatively relaxed; on May 7, India first launched a “major military operation” using fighter jets to launch missiles into Pakistan. The Pakistani Air Force has shot down five Indian fighter jets in its counterattack against the Indian Air Force, and the regional situation faces the risk of further escalation.
Timeline
April 22: A shooting incident targeting tourists occurred in Pahalgam town, Indian – controlled Kashmir, resulting in 26 deaths. India accused Pakistan of supporting cross – border terrorism, but Pakistan denied it.
April 23 – 24: India closed border crossings, expelled Pakistani diplomats, suspended the issuance of visas to Pakistani citizens, and its military entered a “high – alert” state. Pakistan announced the closure of its airspace to India, the suspension of all trade, the revocation of some visas for Indian citizens, and mobilized JF – 17 fighter jets and missile bases for combat readiness.
April 25 – 28: The two sides exchanged fire continuously in Kashmir. The conflict spread to areas such as the Jhelum Valley and Rampur district, with the use of small arms, mortars, and drones.
May 2 – 5: India banned the import of Pakistani goods and blocked Pakistani social media accounts. Pakistan prohibited Indian ships from entering its ports.
May 7: India launched a “major military operation”, launching attacks on nine “terrorist infrastructure” target sites within Pakistan. The Pakistani Air Force has shot down five Indian military aircraft and launched missiles to destroy a military command post within India in retaliation for India’s air strikes on Pakistan.
This series of real-world frictions and conflicts has also been mapped to cyberspace, leading to a surge in DDoS attacks on both sides.
Attack Overview
Note: All the times and dates shown below are in GMT+8.
According to the monitoring data of the Global Threat Hunting System of NSFOCUS Fuying Laboratory, DDoS attacks against India and Pakistan have shown a significant fluctuating upward trend since April 14, 2025.
As of April 26, the scale of attacks has exploded, with the number of targets attacked in India surging by more than 500% and Pakistan surging by more than 700%. This sharp deterioration in cybersecurity echoes the escalating military standoff between India and Pakistan over Kashmir, where conflict has intensified recently, with both sides exchanging fire and using heavy weapons. During the exchange of fire between the two sides, the attack remained at a high level. Subsequently, starting from May 1, the two sides entered a stalemate. Coupled with international intervention, the situation between the two sides eased somewhat, and the performance of cyberspace was consistent with reality. DDoS attacks showed a gradual downward trend.
Monitoring of Key Attack Events – Attacks on India
Attack on the official website of PowerGrid
May 2, 2025 At 09:35, the official website of POWERGRID (www.powergrid.in) was attacked by DDoS using NTP reflection amplification for 31 minutes and 26 seconds.
As a “Maharatna” core public sector enterprise recognized by the Indian government, POWERGRID is responsible for the operation and management of India’s national power grid and occupies a key position in the field of power transmission and distribution. This DDoS attack will directly affect the relevant services of the official website, which may cause a number of convenient services including electricity bill inquiry, online payment, fault reporting, etc. to be temporarily unavailable. While the grid infrastructure itself was not affected, the incident highlights the threat of DDoS attacks on critical public service systems.
Attack on the official website of Nccc News in India
April 26, 2025 At 13:30, a DDoS attack was detected against the official website of Nccc News (ncccnews.com). The attack used CLDAP reflection and lasted for 22 minutes and 13 seconds.
As an important platform for publishing government planning and education information, attacks on this website will directly affect the timely access of educators, students and the general public to policy information and educational resources, which may have an adverse impact on the normal operation of the education system.
Attack on the official website of India’s Unique Identification Agency
April 26, 2025 At 12:49, the official website of the Unique Identification Authority of India (UIDAI) (uidai.gov.in) was attacked by DDoS using NTP reflection amplification methods. The attack lasted 31 minutes and 19 seconds.
As a statutory body established by the Indian government under the Aadhaar Act 2016, UIDAI is part of the Ministry of Electronics and Information Technology and is responsible for managing India’s universal biometric identity system. This DDoS attack may cause the interruption of core services such as Aadhaar card application and information update, which directly affects the identity authentication service of Indian citizens.
Attack against Bharat Sanchar Nigam Limited(BSNL)
At 22:25 on April 25, 2025 and 17:58 on April 26, 2025, BSNL (www.bsnl.co.in), a state-owned telecommunications operator affiliated to the Ministry of Telecommunications of the Indian government, suffered two rounds of DDoS attacks in succession. The attackers used NetBIOS reflection and NTP reflection amplification technologies respectively, both lasting more than 30 minutes. As of 21:00 on May 7th (GMT+8), the operator’s official website is still inaccessible.
BSNL is India’s central public sector enterprise. As the fourth largest Internet service provider in India, BSNL provides critical communications services across the country. The company has historically been the exclusive operator and maintainer of India’s railway communication systems for a long time, but this business was later spun off to form RailTel. If the DDoS attack against the company causes the central node to be paralyzed, it may cause a large-scale communication interruption, affecting the normal communication of governments, enterprises and individual users.
Attack on the website of Bharat Sanchar Nigam Limited
April 23, 2025 At 13:07, several websites of Bharat Sanchar Nigam Limited (BSNL) were attacked by DDoS attacks. The attackers used the CLDAP protocol reflection amplification attack method to launch the attack. The attack lasted for 3 hours, 4 minutes and 26 seconds. As of 21:00 on May 7th (GMT+8), its related online services are still inaccessible.
Indian Railways Telecommunications Limited provides project services including station Wi-Fi, content on demand, railway display network, national fiber optic network and national knowledge network services, hospital management information and video surveillance system. The company serves government agencies, educational institutions, businesses, banks, private enterprises and non-banking financial companies (NBFCs).
Attack on TV9 Hindi Online News Platform
April 10, 2025 At 13:07, the botnet family Mirai used the ACK_FLOOD attack method to launch a five-minute DDoS attack on the TV9 Hindi online news platform.
TV9 Hindi is a Hindi news website affiliated with News9live. News9live.com is the digital division of TV9 News Network and India’s fastest-growing digital news platform, covering the latest news, politics, current affairs, defense, finance, entertainment and sports, as well as the latest trends in social media, health, technology and science. It is one of the main digital online media in India.
Monitoring of Key Attack Events – Attacks on Pakistan
Targeting WTL attacks
May 1, 2025 At 20:10, an attack on the official website of WTL (WorldCall Telecom Limited) in Pakistan was detected. The attack used NTP reflection amplification and lasted for 17 minutes and 36 seconds.
As an important communications service provider in Pakistan, WTL provides telecommunications, Internet and digital media services to users across the country. The attack may affect its key functions such as customer service and online business processing, causing a short-term impact on the user’s network experience.
Targeting Quaid-i-Azam University official website attack
April 26, 2025 At 12:58, a DDoS attack was detected at Quaid-i-Azam University (official website qau.edu.pk), a top university in Pakistan. The attack used NTP reflection amplification and lasted for 32 minutes and 16 seconds.
Quaid-i-Azam University is located in Islamabad, the capital of Pakistan. As Pakistan’s leading public research university (established in 1967), it is not only an academic center that tops the list of universities in the Organization of Islamic Cooperation member states, but also a benchmark for higher education in South Asia with its academic status of 551-560 in the QS world ranking and 133rd in Asia. This malicious attack on the university’s official website will not only affect key network services, but also important ongoing academic activities.
Attack on the Emergency Services Department website
April 26, 2025 At 10:26, a DDoS attack was detected against the Pakistan Emergency Services Department website (www.rescue.gov.pk) using NTP reflection amplification technology for 48 minutes and 19 seconds. As of 21:00 on May 7th (GMT+8), the website is still inaccessible.
The Pakistan Emergency Services Department is responsible for coordinating disaster relief, medical emergency and public safety incident response across the country. Its service scope covers almost all regions of Pakistan, including Punjab, Khyber Pakhtunkhwa, Balochistan, Sindh, Gilgit-Baltistan and Azad Kashmir. Once an attack on the website causes service interruption, it will not only affect people’s emergency help, disaster warning release and rescue force dispatch, but also cause a certain degree of panic among the people and weaken their trust in the government’s emergency response capabilities.
Attack on the government’s Ministry of Commerce website
April 25, 2025 At 09:18, the official website of the Ministry of Commerce of the Government of Pakistan (www.commerce.gov.pk) was attacked by DDoS. Monitoring data showed that the attack used DNS reflection amplification technology to focus on port 443 (HTTPS) and lasted for 1 hour, 3 minutes and 25 seconds. As of 21:00 on May 7th (GMT+8), the website is still inaccessible.
As a cabinet-level department in Pakistan, the Ministry of Commerce plays an irreplaceable role in promoting national economic growth, formulating trade policies and promoting business development. The attackers chose such a key state institution as their target. Their intention is obviously not limited to disrupting network services, but more likely to undermine Pakistan’s economic stability, interfere with the international trade negotiation process, and even weaken the government’s credibility.
Summary
Since the outbreak of the Russia-Ukraine conflict, the linkage effect between cyberspace and the real world has become increasingly prominent. As one of the main forms of cyber confrontation, DDoS attacks show a high degree of synchronization with geopolitical events. Unlike long-term latent cyber threats such as APT attacks, DDoS attacks can often respond quickly at the first time a real conflict breaks out. This immediacy has been verified again in the recent political friction between India and Pakistan.
April 26, 2025 As tensions between India and Pakistan escalate, DDoS attacks in cyberspace between the two countries have surged significantly. The near real-time correspondence between this attack and political events fully reflects the rapid response characteristics of DDoS attacks as a means of network countermeasures. It is worth noting that international events such as the Russia-Ukraine conflict and the Israeli-Palestinian conflict in recent years have objectively promoted the evolution of DDoS attack technology, continuously lowering its operational threshold and improving its attack effectiveness.
This development trend warns us that at the critical juncture of major events, we must strengthen the construction of DDoS protection systems in advance. Cyber defenders need to establish more agile response mechanisms to deal with cyber confrontations that may break out at any time. It is foreseeable that this linkage mode of conflict between cyberspace and reality will become the new normal in international relations.
