
China- and India-linked clusters compromise Balochistan Police CMS and FortiMail, exposing biometric and criminal records from 2024-2026
Multi-group espionage against Pakistani police portals reveals parallel China- and India-linked operations on shared critical infrastructure. The CMS compromise directly exposes national biometric and identity-linked records. Gaps in appliance monitoring and integration with national ID systems create durable supply-chain collection opportunities.
The intrusion chain began with network appliances and web servers tied to the Smart Police Station initiative. One cluster replaced a legitimate CMS update with a custom implant that reached both police staff and citizens submitting biometric or case data. Victim telemetry shows the same C2 infrastructure later reached Khyber Pakhtunkhwa Police, Islamabad Police, and Punjab Safe Cities Authority hosts. SentinelOne telemetry places PlugX activity from February to September 2024 and ShadowPad from August to December 2024.
Evidence consists of shared infrastructure hashes, FortiMail configuration artifacts, and lures referencing Afghan Citizen Card repatriation lists. PlugX and ShadowPad clusters also hit foreign affairs and defense entities across South and Southeast Asia, matching prior China-aligned patterns documented in Recorded Future reporting on Mustang Panda operations. The Remcos cluster overlaps with Mysterious Elephant infrastructure previously tied to SideWinder by Proofpoint.
Mainstream coverage treats the activity as two discrete campaigns. Contract and procurement records show the CMS integrates directly with Pakistan's national identity database, creating an unmonitored supply-chain vector that extends collection to hotel registrations and tenant data. Standard appliance logging gaps allowed the FortiMail compromise to persist undetected for nearly two years.
Next indicators will appear in PSCA logs once Remcos beacons resume after the April 2026 takedown window. Agencies without centralized Fortinet telemetry will continue to serve as persistent collection nodes.
SENTINEL: Remcos beacons tied to the same Mysterious Elephant infrastructure will reappear in Punjab Safe Cities Authority netflow within 90 days of the April 2026 sinkholing.
Sources (3)
- [1]SentinelOne SentinelLABS Report(https://www.sentinelone.com/labs/balochistan-police-portal-espionage/)
- [2]Proofpoint Mysterious Elephant Analysis(https://www.proofpoint.com/us/threat-insight/post/mysterious-elephant-apt-c-08)
- [3]Recorded Future Mustang Panda Infrastructure(https://www.recordedfuture.com/mustang-panda-plugx-shadowpad/)