Cyber Incident Victim: Army Public School Ranikhet
Date:
Apr 2025
Location:
India
Summary
Cyber actorsbased in Pakistan launched a coordinated series of attacks on four defence‑affiliated websites, including the Army Public School Ranikhet and a sister institution in Srinagar, where the sites were defaced with inflammatory propaganda and the Srinagar site also suffered a distributed denial of service effort; simultaneously, attempts were made to infiltrate the Army Welfare Housing Organisation database and the Indian Air Force Placement Organisation portal. The intrusions were detected in real time by India’s layered cyber‑security architecture, traced to Pakistani origins, and the affected sites were quickly isolated and restored without any impact on operational or classified networks. The attackers, identified as the IOK Hacker/Internet of Khilafah group, sought to deface pages, disrupt services and harvest personal information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Amid heightenedtensions between India and Pakistan following the Pahalgam terror attack on April 22, cyber attacks were launched from Pakistan against four defence‑affiliated institutions. Official sources confirmed that intelligence assessments linked the intrusions to a group calling itself ‘IOK Hacker’ or the ‘Internet of Khilafah’. The attackers aimed to deface web pages, disrupt online services and harvest personal information from the targeted sites.
Two of the targets were the Army Public Schools in Srinagar and Ranikhet. Both schools received inflammatory propaganda that was posted on their websites, and the homepage of each site was subject to defacement attempts. In addition, the Srinagar school experienced a distributed denial of service attack that sought to overwhelm its web servers. According to army sources, the web managers quickly identified the issues, isolated the affected pages and restored normal service, preventing prolonged disruption.
The remaining targets included the Army Welfare Housing Organisation database, where an attempted breach was detected, and the Indian Air Force Placement Organisation portal, which faced a compromise effort. Upon detection, all four sites were promptly isolated from the network and restorative actions were undertaken. Officials stated that no operational or classified networks were affected at any stage, and the layered cyber‑security architecture detected the intrusions in real time, tracing their origin to Pakistan‑based actors.