China- and India-linked hacking groups separately broke into Pakistani law enforcement systems over a period of more than two years, in some cases landing on the same machines, according to research published Thursday by SentinelLabs, the research arm of cybersecurity firm SentinelOne.
The target was the Balochistan Police, the force covering Pakistan’s southwestern province. That makes the intrusions more than routine government snooping. Balochistan is the center of a long-running separatist insurgency, and police networks can hold the kind of internal-security data foreign intelligence services like to steal rather than request politely.
SentinelLabs said the compromised systems contained criminal records, biometric and fingerprint information, personnel files, hotel and tenant registrations tied to national identity records, and public complaint data. In other words: a concentrated database of people, cases, movement, and police operations.
The researchers said the campaigns ran from February 2024 to April 2026 and were parallel rather than coordinated. SentinelLabs did not name a single hacking group as responsible for the full set of activity. It grouped the operations by tools, infrastructure, and victim patterns, which is the less glamorous but more defensible way to do attribution.
Why Balochistan Police data would be valuable
SentinelLabs assessed that the China-linked activity was probably driven by Beijing’s need to understand threats to Chinese nationals in Pakistan, especially those connected to the China-Pakistan Economic Corridor. The report pointed to a March 2024 suicide bombing and an October 2024 attack near Karachi’s airport as examples of incidents affecting Chinese workers.
The firm’s read is that China-linked operators wanted their own view of local risk instead of depending entirely on Pakistani security assurances. That does not require exotic spycraft logic. If a government has citizens and projects exposed to insurgent violence, police databases become intelligence targets.
SentinelLabs assessed the India-linked activity was likely connected to the broader India-Pakistan rivalry. Pakistan accuses India of supporting the Baloch insurgency and calls the Balochistan Liberation Army an Indian proxy. India denies that and makes its own allegations about Pakistani support for militants in Kashmir. Pakistan denies those claims. SentinelLabs said access to Balochistan Police systems would offer visibility into that conflict.
Both countries have also been accused in prior reporting of running cyber-espionage operations against each other, including campaigns aimed at Indian government, academic, and strategic organizations, as well as Pakistani government agencies and critical infrastructure operators.
A fake police portal update carried malware
One compromise described by SentinelLabs involved the Balochistan Police Complaint Management System. The portal is used by officers behind a login and by citizens checking complaint status.
According to the researchers, a China-linked operator placed malware on the portal disguised as an update. The malicious executable showed users a fake message saying the update had completed while infecting the device. Because both police staff and members of the public used the site, SentinelLabs said the altered portal put both groups at risk.
The researchers cited Chinese-language log strings and developer artifacts in the code as evidence pointing to a Chinese-speaking author. They also tied the China-nexus assessment to tools shared among Chinese groups, including PlugX and ShadowPad, and to targeting patterns involving Asian governments and, in one case, Tibetan organizations in Taiwan.
The India-nexus intrusions were assessed with lower confidence. SentinelLabs linked them to an actor it tracks as TAG-179, which overlaps with clusters other researchers call Bitter and Mysterious Elephant. One data point was a lure document themed around repatriating undocumented foreigners.
SentinelLabs warned that Pakistan’s push to centralize and digitize policing, including through European-backed modernization programs, will keep making those systems attractive targets. Digitization is useful until it builds a better filing cabinet for spies.
This story draws on original reporting from The Record.