40+ Hacktivist Groups Wage Cyberwar On Indian Critical Infrastructure

Published Date: May 13, 2025
Category: ShadowOpsIntel
Share:

A large-scale, coordinated cyber campaign targeting Indian infrastructure and public services has emerged following Operation Sindoor on May 7, 2025. This cyber offensive involves 40+ pro-Pakistan hacktivist groups. The campaign signifies the convergence of geopolitical conflict with digital warfare, blending physical military strikes with simultaneous cyber offensives, primarily aimed at undermining national morale, disrupting critical services, and generating global propaganda.

Severity Level: High

THREAT OVERVIEW:

  1. Campaign Codename: #OpIndia
  2. Trigger Event: Pahalgam terror attack (April 22, 2025)
  3. Peak Activity: May 6–7, 2025
  4. Total Claimed Attacks (2025): 256+ attacks by 40+ groups
  5. Threat Actors and Hacktivist Alliances

Primary Groups Involved:

THREAT ACTORDESCRIPTIONKEY ACTIVITIES
Keymous+most aggressive and operationally persistent actorsAttacks on healthcare, municipal infrastructure, DDoS, web defacement
AnonSecHigh-profile group with political motivesDefacement of PMO, Election Commission, NJDG; future threats to military
RipperSecDDoS-as-a-service providerResponsible for 30%+ DDoS attacks; used MegaMedusa tool
Mr. Hamza, Sylhet Gang, Vulture (Iran), Red Wolf Cyber, Nation of SaviorsRegional and ideological affiliationsMultiple attack claims; alliances formed post Operation Sindoor
Mysterious Team Pakistan, Islamic Hacker Army, Rabbit Cyber TeamIdeological motivations; real-time retaliationDDoS & propaganda
  • Attack Methods

DDoS Attacks (Most Prevalent – Over 70% of Cases)

  • Volumetric: NTP, DNS, CLDAP, NetBIOS amplification.
  • Application-Layer: HTTP Flood, HTTP POST, RUDY (slow POST), TCP floods.
  • Tooling: MegaMedusa (Node.js-based), botnets, and public DDoS tools.

Web Defacement (~36%)

  • Used “Alone injector.php” exploiting PHP upload vulnerabilities.
  • Messaging included political slogans, anti-India content, Operation Sindoor retaliation banners.

Data Breach Attempts (~8%) – Often Psychological

  • Claims by groups like Team Insane Pakistan, but most lacked verifiable evidence.
  • Designed to induce panic and signal deep penetration.

Unauthorized Access Probing (~3%)

  • Login portals, judicial platforms, and healthcare logins targeted for credential harvesting.
  • Infrastructure and Entities Targeted

Key Targets in India:

SECTORSPECIFIC ENTITIES
GovernmentPMO, GeM, NIC, Election Commission, NJDG, PESB
DefenseMinistry of Defence, Indian Army, Navy, Air Force portals
TelecomBSNL (attacked multiple times), Indian Railways
EnergyPowerGrid Corporation of India
FinanceNSE, BSE (international access restricted), IOB, Bank of Baroda
HealthcareHospitals and public health portals
EducationNccc News, UIDAI, academic institutions

Recommendations:

  1. Implement perimeter controls/firewall rules to filter large or fragmented ICMP packets and UDP reflection/amplification attacks:
  2. Restrict ICMP type echo-request with length 1501:65535.
  3. Restrict UDP traffic on port 123 and block packets larger than 50 bytes.
  4. Restrict UDP traffic from source port 53 and block packets larger than 512 bytes (DNS reflection/amplifcation attacks).
  5. Restrict UDP traffic on port 1900 (SSDP).
  6. Restrict UDP traffic on port 11211 (Memcached).
  7. Restrict UDP traffic on port 19 (Chargen).
  8. Restrict UDP traffic on port 389 (LDAP). If LDAP doesn’t require UDP, disable it on your server.
  9. Deploy Web Application Firewall (WAF) controls to mitigate bot-originated traffic.
  10. Deploy TCP 3-way handshake verification controls to combat TCP-SYN flood attacks.
  11. Ensure your cloud volumetric DDoS monitoring thresholds are properly configured to detect unusual traffic spikes in the above-mentioned protocols/services.
  12. Evaluate your DDoS incident response process (perhaps with a tabletop exercise).
  13. In the case of on-premise/inline DDoS protection solutions, make sure to enable on-demand HTTP authentication controls in case of abnormal HTTP requests.
  14. Secure your Web Server Configuration by disabling unnecessary features or modules (mod_autoindex, mod_status).
  15. Ensure directory listing is disabled to prevent attackers from viewing sensitive files.
  16. Use strong SSL/TLS encryption for secure connections (preferably TLS 1.2 or 1.3).
  17. If using a CMS (e.g., WordPress, Joomla), ensure it is properly configured and secured.
  18. Use security plugins/modules designed to detect and block malicious activity (e.g., Wordfence for WordPress).
  19. Regularly change default admin passwords and usernames.
  20. Use IP whitelisting to limit access to the admin panel or backend and implement MFA for all administrative accounts and critical user roles.

Source:

  • https://cyberxtron.com/blog/india-under-cyber-siege-40-hacktivist-groups-joined-hands-and-targeting-key-sectors-post-operation-sindoor-6500
  • https://www.radware.com/security/threat-advisories-and-attack-reports/escalating-hacktivist-attacks-amidst-india-pakistan-tensions/
  • https://cyble.com/blog/india-experience-hacktivist-group-activity/
  • https://nsfocusglobal.com/two-battlegrounds-india-pakistan-conflicts-and-ddos-attacks/
  • https://www.cloudsek.com/blog/brief-disruptions-bold-claims-the-tactical-reality-behind-the-india-pakistan-hacktivist-surge

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.

virustotal

No related posts found.

Talk to an expert