Rival Spies, Same Target
In an unusual case of intelligence convergence, researchers at SentinelOne have disclosed that threat actors with links to both China and India independently compromised or targeted the Balochistan Police force in Pakistan over a period spanning at least two years. The finding, published July 10, 2026, illustrates how the geopolitically sensitive Balochistan province has become a contested digital espionage battleground for regional powers with divergent interests in Pakistan's internal security.
Neither campaign appears to have been coordinated with the other — rather, both governments had independent intelligence-gathering reasons to penetrate the same law enforcement network.
Why Balochistan?
The Balochistan province sits at the intersection of multiple strategic interests:
-
China: The province is home to the China-Pakistan Economic Corridor (CPEC) infrastructure, a flagship Belt and Road Initiative project worth tens of billions of dollars. Chinese intelligence services have strong incentives to monitor the security environment around CPEC assets, including threats from Baloch separatist groups that have conducted attacks on Chinese workers and facilities.
-
India: Pakistani law enforcement in Balochistan operates at the frontline of cross-border tensions. Indian intelligence has longstanding interest in the province's security dynamics, particularly around militant group activity and Pakistani military operations near the border.
Balochistan Police would possess operational intelligence on both, making it a high-value target for both actors simultaneously.
Two Distinct Campaigns
SentinelOne's analysis identified separate intrusion clusters with distinct tooling, infrastructure, and tactics — ruling out a single actor misattributed in both directions.
China-linked activity exhibited characteristics consistent with established People's Republic of China (PRC) espionage tradecraft: long-dwell persistence, targeted data staging, and infrastructure with registration patterns overlapping previously documented campaigns against Pakistani government entities.
India-linked activity displayed tooling and operational patterns consistent with documented South Asian threat actors, including the use of spear-phishing lures themed around regional security topics to gain initial access.
Key Takeaways for Threat Intelligence Teams
| Dimension | Observation |
|---|---|
| Sector | Law enforcement / government |
| Target region | Pakistan (Balochistan) |
| Attributed actors | China-linked APT, India-linked APT |
| Campaign overlap | Independent, not coordinated |
| Duration | 2+ years |
| Intelligence source | SentinelOne |
Broader Implications
The case is a useful reminder that geopolitical context drives targeting decisions as much as technical capability. Organizations in politically sensitive regions — particularly government bodies, border security agencies, and infrastructure operators near large foreign investment projects — should anticipate interest from multiple nation-state actors simultaneously.
Defenders in such environments should:
- Not assume a single attributable adversary; conduct multi-hypothesis intrusion analysis
- Monitor for indicators from both regional and global APT frameworks
- Prioritize email gateway hardening given the prevalence of spear-phishing in both campaigns
- Implement strict network segmentation to limit lateral movement even after initial access is achieved