Cyber Threat Actor: Team Pak Cyber Attackers
| Actor Type | Location | Known Incidents |
Activist
|
Pakistan
|
18 incidents |
|---|
Profile
Thethreat actor known as Team Pak Cyber Attackers, also referred to as Pak Cyber Attackers or Pakistan Cyber Force, operates from Pakistan and has been active since at least 2015. The group uses several aliases in its operations, including Faisal 1337, Romantic and Intruder, and has publicly claimed affiliation with the Pakistan Army in multiple incidents. Their activities are primarily characterized by website defacements that display pro‑Pakistan slogans, national symbols and messages directed at Indian authorities, often referencing the Kashmir dispute and warning against perceived aggression.
The actor’s targeting pattern, as evidenced by the reported incidents, focuses on government and diplomatic entities in India and neighboring countries. Targets have included state education department portals, political party websites such as the Chhattisgarh BJP site, police department sites, and a wide range of Indian embassies and high commissions located in countries such as Turkey, Greece, Mexico, Brazil, Romania, Tajikistan and South Africa. In addition, the group has defaced high‑profile platforms like the Google Bangladesh domain and the Kolkata Passport Office website. The messages left on compromised sites consistently contain pro‑Pakistan nationalist slogans, taunts aimed at Indian security forces and assertions of readiness for confrontation, indicating a strategic objective of propaganda dissemination and disruption rather than financial gain.
Observed tactics, techniques and procedures are limited to website defacement activities. The actors gain unauthorized access to web servers, replace the original content with their own messages and images of Pakistani flags or military personnel, and then leave signatures such as “Struck by Faisal 1337” or “We are Team Pak Cyber Attackers.” They repeatedly assert a connection to the Pakistan Army in the defacement notes, but no independent verification of state sponsorship is provided in the sources. No malware families, exploit kits or specific intrusion vectors are described in the available material; the emphasis remains on the visible alteration of web content as the primary effect.
Notable campaigns referenced in the open‑source record include the June 2016 defacement of seven Indian embassies and a Karnataka State Police site, where the attackers used the aliases Romantic and Intruder and claimed Pakistan Army affiliation. In February 2019 the group, identified as Faisal 1337, compromised the Chhattisgarh BJP website, posting a Pakistani flag, images of military personnel and a war‑mongering message. December 2016 saw the defacement of the Google Bangladesh domain with the phrase “Pakistan Zindabad” and a taunt aimed at Google’s security. More recently, on 29 April 2025 the Rajasthan Education Department’s official portal was altered to display inflammatory messages attributed to Pakistan Cyber Force, prompting the site to be taken offline for investigation. Each of these incidents reflects the actor’s recurring focus on high‑visibility government and diplomatic web assets to convey political statements.
