Security
India emerges as prime cyber target in APAC as ransomware and data breaches surge: Cyble Report 2025
2025-12-11
Cyble Inc. has released its APAC Threat Landscape Report 2025, revealing that India continues to be one of the most targeted countries in the region. The report highlights a major rise in ransomware attacks, data breaches, and underground cybercrime operations aimed at Indian organizations.
Across the APAC region, Cyble recorded 456 ransomware attacks, 1,586 data breaches, and 335 initial access listings. India consistently featured among the most attacked nations, alongside South Korea, Singapore, Japan, Taiwan, and Thailand. According to Daksh Nakra, Senior Manager of Research and Intelligence at Cyble, India’s rapid digital adoption and strong economic activity have made it a lucrative target for both cybercriminals and state-backed groups. He added that the convergence of ransomware, data brokers, and hacktivist activity underscores the urgent need for stronger cybersecurity measures and policy responses.
Major Cyber Incidents Impacting Indian Organizations
Indian enterprises experienced several high-impact cyber incidents throughout 2025. In October 2025, a nationwide grocery retail chain suffered a massive breach that exposed the personal data of 600,000 customers and 1,000 employees, including sensitive Aadhaar and banking details.
In January 2025, a major Indian multinational payment system was compromised, with unauthorized access to its production databases, source code, and infrastructure credentials being offered for sale on underground forums. During the same month, multiple Indian companies witnessed leaks of their corporate datasets due to compromised S3 bucket access, resulting in more than 22 terabytes of sensitive information being exposed.
Additionally, an Indian multinational faced a severe ransomware attack that disrupted its IT infrastructure and forced a temporary suspension of services.
India–Pakistan Cyber Conflict Escalates
The cyber conflict between India and Pakistan intensified following the Pahalgam terror attack and India’s subsequent Operation Sindoor. Cyble observed that Pakistan-aligned advanced persistent threat groups mounted approximately 1.5 million intrusion attempts targeting Indian systems. More than 40 hacktivist groups also launched a series of DDoS attacks, website defacements, and data breach campaigns. These coordinated efforts significantly impacted government institutions, industry sectors, and critical infrastructure across India.
Regional API Flaw Exposes Millions
A major IDOR vulnerability discovered in a popular spam-blocking mobile application exposed personally identifiable information of users across India, Pakistan, and Bangladesh. The compromised data included full names, phone numbers, email addresses, and device tokens, putting millions of users at risk.
APAC Ransomware Landscape
Ransomware activity remained high across APAC, with the Qilin group responsible for 94 of the 456 attacks tracked—representing 20.6 percent of all incidents. The banking, financial services, and insurance sector was particularly affected, as attackers mounted an intensive campaign against asset-management firms in September.
The top ransomware groups active in APAC in 2025 included Qilin, which carried out 94 attacks; NightSpire with 31 attacks; Dire Wolf with 22; The Gentlemen with 21; RansomHub with 20; and Lynx, also with 20 attacks.
The sectors most frequently targeted were BFSI, manufacturing, IT and IT-enabled services, technology, and government and law enforcement.
Data Breaches Surge Across Region
The APAC region witnessed a total of 1,586 data breaches in 2025. Government and law enforcement organizations accounted for 427 incidents, representing 27 percent of the total. The education sector experienced 192 breaches, while the BFSI sector recorded 155.
Underground Access Market Expands
The underground market for initial corporate access continued to expand, with Cyble documenting 335 such listings in 2025. Government and law enforcement agencies were the most frequently affected, with 54 listings attributed to them, followed by organizations in the retail and BFSI sectors.
Geopolitical Espionage Intensifies Across APAC
China-Aligned APT Operations
The report highlights increasing activity from China-aligned advanced persistent threat groups across the region. MirrorFace, also known as Earth Kasha, carried out targeted campaigns against Japan’s government, aerospace, media, and semiconductor sectors using tools such as LODEINFO, LilimRAT, and NOOPDOOR.
Another actor, PlushDaemon, infiltrated the supply chain of a South Korean VPN provider through a backdoored installer. Meanwhile, UNC3886 targeted critical infrastructure organizations across Singapore, including those in the power, telecom, water, and transportation sectors. Taiwan also experienced approximately 2.4 million cyberattack attempts per day amid rising geopolitical tensions.
Hacktivist Activity Surges
APAC recorded over 400 hacktivist incidents and 1,162 data leak posts during the year. These attacks included widespread DDoS operations and website defacements, which affected more than 7,000 domains spanning government, BFSI, technology, and education sectors.
See What’s Next in Tech With the Fast Forward Newsletter
SECURITY
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
