Threat actors operating under suspected Chinese and Indian sponsorship compromised web servers at Balochistan Police that process sensitive law enforcement and citizen data. The espionage campaign targeted multiple Pakistani law enforcement organizations continuously from February 2024 through April 2026.

Attackers gained access to servers hosting web applications managing criminal records and citizen information. This access provided threat actors with direct visibility into operational police databases and personal data maintained by Balochistan Police. The extended duration of the campaign, spanning over two years, indicates sophisticated persistence mechanisms and sustained actor interest in Pakistani law enforcement infrastructure.

The compromise of police portals creates severe operational risks. Threat actors obtain advance warning of investigations, intelligence collection priorities, and law enforcement capacity assessments. They access personal data of citizens appearing in police records, enabling targeted recruitment, blackmail, or harassment operations. Criminal organizations gain visibility into active cases. The exposure extends beyond Balochistan Police to other Pakistani law enforcement bodies subjected to parallel compromise attempts.

Researchers attribute the campaigns to state-aligned groups based on targeting patterns, operational tempo, and geopolitical context. Pakistani law enforcement agencies operate at the intersection of multiple intelligence collection priorities for neighboring states. Chinese actors maintain persistent interest in Pakistani security infrastructure affecting Belt and Road Initiative projects and strategic partnerships. Indian threat actors target law enforcement systems for intelligence collection on border security operations and counterinsurgency activities.

The campaign demonstrates how web application compromise creates bridges into classified law enforcement ecosystems. Police portals typically lack the security hardening applied to military or intelligence networks, yet provide comparable access to sensitive operational data. Attackers weaponized standard compromise techniques—likely including credential theft, unpatched vulnerabilities, or supply chain manipulation—to establish initial footholds that remained undetected for extended periods.

Organizations operating law enforcement or government citizen databases should conduct immediate access reviews, implement network segmentation isolating police systems from internet-facing applications, and deploy