India's Hackers Spent a Year Inside Pakistan's Nuclear Agency. The Word You Use for It Depends on Where You Live.

An India-linked hacking group spent 12 months inside the networks of Pakistan's nuclear regulator, navy, and telecom providers. Arctic Wolf published the findings this week. The operation targeted three countries — Pakistan, Bangladesh, and Sri Lanka — using 112 fake government-themed domains to trick officials into opening infected files.

What happened next depends on who's telling the story.

Two Names for the Same Thing

The group behind the campaign goes by "SloppyLemming" in Arctic Wolf's research. CrowdStrike calls them "Outrider Tiger" and describes the operation as supporting "Indian state intelligence collection requirements."

Indian cybersecurity outlets barely covered the report. When they did, the framing centered on the broader category of "South Asian cyber threats" — a phrase that distributes blame evenly across borders. No Indian outlet named India as the aggressor.

Pakistani tech media covered it differently. TechJuice, one of Pakistan's largest tech publications, ran it as a lead story: India-linked threat actors hit Pakistan, Bangladesh, and Sri Lanka. The headline named India. The body named the targets. The tone treated the campaign as state-sponsored aggression against a neighbor's critical infrastructure.

Same operation. Same research report. Two completely different framings.

What Actually Happened

Arctic Wolf's investigation revealed a year-long campaign from January 2025 through January 2026. The attackers registered 112 Cloudflare domains with Pakistani and Bangladeshi government-themed names designed to look official. When targets opened the phishing emails, they saw blurred documents with a message claiming their "PDF reader is disabled" — a social engineering trick to get them to enable malicious code.

Two malware strains did the work. BurrowShell, a custom backdoor, captured screenshots and manipulated file systems. A second Rust-based trojan logged keystrokes and mapped networks.

The target list reads like a strategic intelligence shopping list: the Pakistan Nuclear Regulatory Authority. The Pakistan Navy. The National Logistics Corp. Telecom providers including PTCL and the Special Communications Organization. In Bangladesh, attackers went after the Power Grid Company and financial institutions.

Arctic Wolf assessed "with moderate confidence" that the operation aligns with "intelligence collection priorities consistent with regional strategic competition in South Asia." That's careful language. It means: these are the exact targets an Indian intelligence service would prioritize.

The Mirror War Nobody Mentions

Here's the part that rarely makes either country's headlines: both sides run these operations simultaneously.

While SloppyLemming spent a year inside Pakistani systems, Pakistan's APT36 — also known as Transparent Tribe — ran parallel campaigns against Indian government and academic targets. Two days before the Arctic Wolf report dropped, researchers at Recorded Future documented APT36 using AI-powered coding tools to mass-produce malware implants targeting India.

Maharashtra Cyber in India reported that seven Pakistan-allied APT groups attempted more than 1.5 million cyber attacks on Indian critical infrastructure following the 2025 India-Pakistan military conflict. CloudSEK researchers later cautioned that many of those claimed breaches involved "minimal disruption and reused data or superficial defacements." The claimed number was inflated. But the operations were real.

Both countries hack each other's governments. Both countries spy on each other's military infrastructure. Both countries deny involvement. Neither country has an official public attribution policy — which, as the Stimson Center pointed out, means "it is difficult to assess their evidentiary standards and the validity of their threat intelligence."

The Perception Gap: PGI 7.48

The Albis Perception Gap Index scored this story at 7.48 — firmly in "Different Realities" territory.

The gap breaks down across five dimensions. Actor portrayal scored highest at 8.0: Indian sources frame the operations (when they acknowledge them at all) as counterterrorism intelligence gathering. Pakistani and Bangladeshi sources frame the same activity as state-sponsored cyber aggression against sovereign nations. The actors are identical. The moral framing is inverted.

Causal attribution scored 7.0. In Indian media, cyber operations in South Asia exist in response to Pakistani provocations and Chinese interference. In Pakistani media, India conducts offensive espionage against neighbors to maintain regional dominance. Both framings contain truth. Neither captures the full picture.

The widest gap sits in who benefits from each narrative. Indian framing positions cyber defense as reactive and proportional — protecting national security from documented threats. Pakistani framing positions the same operations as proof that India operates as a regional cyber aggressor targeting civilian infrastructure, including nuclear safety bodies, in countries that aren't even adversaries (Bangladesh, Sri Lanka).

The Part Worth Sitting With

Two nuclear-armed neighbors spend years hacking each other's military, government, and critical infrastructure. Neither admits it. Neither has a public attribution policy. Neither has signed a bilateral cyber agreement to establish rules of engagement.

The Stimson Center's assessment cuts through both national framings: "The deployment of cyber-attacks complementary to kinetic operations along with unverifiable and potentially premature public attribution could set a dangerous precedent for a strategic environment as hostile and fragile as South Asia."

The operation Arctic Wolf documented wasn't particularly sophisticated — their own researchers noted the group's "historically inconsistent operational security." SloppyLemming left open directories. They made mistakes. They got caught.

The question isn't whether India-linked hackers targeted Pakistan's nuclear regulator. That's confirmed. The question is what happens when one of these "moderate capability" operations accidentally triggers something neither side intended — in a region where both countries have nuclear weapons and no agreed framework for handling cyber incidents.

The framing war — counterterrorism vs. aggression, defensive intelligence vs. offensive espionage — matters less than the gap it creates. Because the gap means neither country's public can see the full picture. And you can't build safety protocols for risks your population doesn't know exist.

---

This story was scored by the Albis Perception Gap Index — measuring how differently the world frames the same events. See today's most divided stories →