Top 10 Major Cyber Attacks in India

Cyberattacks accelerated in 2025-26, with the latest cyber crime cases linked to India-based targets and actors. This article outlines what happened across ransomware claims, alleged data leaks under investigation, cloud compromises, financial and healthcare outages, and government-portal abuse, connecting each event to likely entry paths and CIA impact. 

1. Tata Technologies (ransomware attack) 

Tata Technologies disclosed a ransomware incident on 31 Jan 2025 affecting a few IT assets. It suspended some IT services, later restored them, and said client delivery remained unaffected while experts investigated. In early March 2025, Hunters International claimed responsibility and alleged 1.4 TB theft, which Tata did not confirm. 

• Date of Incident: 31 Jan 2025  

• Affected Sectors: Engineering and IT services (product engineering and digital/IT delivery for manufacturing-heavy industries).  

• City / country: Pune, India (company headquarters; incident disclosed as impacting internal IT assets).  

• Source of attack: Ransomware attack; Hunters International later claimed responsibility and alleged data theft, but Tata’s public statement did not confirm the exfiltration volume or the initial intrusion method.  

• Age: 343 days old as of 9 Jan 2026 (Asia/Kolkata). 

• Malicious Intent: Extortion via ransomware; possible data-theft leverage per attacker claim.  

• Unauthorized Access: Confirmed impact to “a few” internal IT assets; access path not disclosed.  

• Digital Target: Enterprise IT environment (selected IT systems/services), not described as OT.  

• Exploitation of Vulnerabilities: Not publicly disclosed (no confirmed CVE or misconfiguration identified in filings).  

• Use of Recognized Attack Vectors: Ransomware is confirmed; initial access vector (phishing, stolen creds, exposed services, etc.) not disclosed. 

• Impact on the CIA Triad: 

• Availability: Some IT services temporarily suspended.  

• Confidentiality: Not confirmed by Tata; attacker group alleged exfiltration. 

• Integrity: Not publicly described. 

• Detection or Alerting: Tata said it “became aware,” initiated investigation, and restored services; tooling/signals not disclosed.  

• Indicators of Compromise (IOCs): Not publicly disclosed (no hashes, IPs, domains, or filenames released in official statements).  

• Lateral Movement or Privilege Escalation: Not publicly disclosed.  

• Attribution to a Threat Actor: Hunters International claim reported by security outlets; not independently validated in Tata’s disclosure.

2. Raymond (cyber security incidentdisclosedto stock exchanges) 

On Feb 19, 2025, Raymond disclosed a cybersecurity incident affecting some IT assets, which were isolated for containment. It said core systems and daily operations were unaffected, with customer and store operations continuing. In a situation like this, the Eventus soc as a service can strengthen containment by correlating telemetry and monitoring re-compromise. Root cause and theft were unconfirmed. 

• Date of Incident: 19 Feb 2025 

• Affected Sectors: Textiles and fashion retail (Raymond Ltd’s core industry; incident affected internal IT assets while store operations continued).  

• City / country: Mumbai, Maharashtra, India (company location city/country). 

• Age: 324 days old as of 9 Jan 2026 (Asia/Kolkata). 

• Malicious Intent: Not disclosed by the company; motive (extortion, espionage, disruption) is unconfirmed.  

• Unauthorized Access: Confirmed incident impacting “some” IT assets; exact access type not disclosed.  

• Digital Target: Internal IT assets (systems isolated during containment).  

• Exploitation of Vulnerabilities: Not disclosed (no confirmed CVE or misconfiguration published). 

• Use of Recognized Attack Vectors: Not disclosed (no confirmed phishing, stolen credentials, exposed service, malware family).  

• Impact on the CIA Triad: 

• Availability: Limited; affected IT assets were isolated, but core systems and operations continued.  

• Confidentiality: Not confirmed; no validated data theft disclosure.  

• Integrity: Not disclosed.  

• Detection or Alerting: Not disclosed (no specific control, alert source, or timeline published).  

• Indicators of Compromise (IOCs): Not publicly disclosed (no hashes, IPs, domains, filenames).  

• Lateral Movement or Privilege Escalation: Not publicly disclosed.  

• Attribution to a Threat Actor: None publicly attributed by Raymond in the exchange-linked reporting. 

3. Niva Bupa Health Insurance (alleged customer data leak under investigation)

On Feb 21, 2025, Niva Bupa reported emails from an anonymous sender claiming customer data and began urgent investigation and mitigation. Early March court reporting described an escalation alleging data up to Feb 2025 was posted to “NivaBupaLeaks.com” with a payment demand and takedown efforts. In a scenario like this, Eventus, a top soc service provider helps by triaging the extortion claim, validating access through log and identity forensics, and monitoring for ongoing data access while containment and legal actions run in parallel. Breach method and scope were unconfirmed. 

• Date of Incident: 21 Feb 2025 

• Affected Sectors: Health insurance  

• City / country: Gurugram, Haryana, India  

• Source of attack: Anonymous extortion claim via email 

• Age: 322 days old as of 9 Jan 2026 

• Malicious Intent: Extortion/data-leak coercion  

• Unauthorized Access: Alleged access to customer/claims data; Niva Bupa publicly confirmed receipt of the claim, not verified access details.  

• Digital Target: Customer data and insurance claims data (as claimed in the communications).  

• Exploitation of Vulnerabilities: Not publicly disclosed (no confirmed CVE or misconfiguration published).  

• Use of Recognized Attack Vectors: Not publicly disclosed (no confirmed phishing, stolen credentials, exposed service, or malware family stated).  

• Impact on the CIA Triad: 

• Confidentiality: Potentially impacted (data possession/leak was claimed; verification not confirmed publicly).  

• Integrity: Not disclosed.  

• Availability: Not reported as impacted in disclosures.  

• Detection or Alerting: Trigger was external notification (email claim); internal detection controls and timing were not disclosed.  

• Indicators of Compromise (IOCs): Not publicly disclosed (no hashes, IPs, domains, or filenames released by the company).  

• Lateral Movement or Privilege Escalation: Not publicly disclosed.  

• Attribution to a Threat Actor: Initially anonymous; later court-linked reporting references the handle “xenZen” in the context of the communications, but this remains a claim rather than a publicly validated attribution by the insurer.

4. Angel One (AWS resources compromised)

Angel One disclosed a breach on Feb 28, 2025, after a dark-web monitoring alert (Feb 27) said some AWS resources were compromised. It rotated AWS and app credentials and hired external forensics for impact and root cause. In cloud incidents like this, Eventus security a managed security service provider supports the response by continuously monitoring cloud logs, detecting abnormal IAM activity, and guiding credential rotation, access-key revocation, and secure reconfiguration across affected AWS services. Angel One said client funds, securities, and login credentials were unaffected. Intrusion method knowing and data scope were unconfirmed. 

• Date of Incident: 28 Feb 2025 

• Affected Sectors: Financial services, stockbroking  

• City / country: Mumbai, Maharashtra, India 

• Source of attack: Unauthorised access to some AWS resources; 

• Age: 315 days old as of 9 Jan 2026  

• Malicious Intent: Data leakage and likely monetization or extortion (intent not confirmed by Angel One).  

• Unauthorized Access: Confirmed unauthorized access leading to compromise of some AWS resources.  

• Digital Target: AWS-hosted resources containing client information (exact services not publicly specified).  

• Exploitation of Vulnerabilities: Not disclosed (no confirmed CVE, misconfiguration, or IAM failure published).  

• Use of Recognized Attack Vectors: Not disclosed (could be stolen cloud credentials, exposed keys, or misconfigured storage; no confirmed vector stated). 

• Impact on the CIA Triad: 

• Confidentiality: Potentially impacted (data leakage context; scope not fully published).  

• Integrity: Not disclosed. 

• Availability: Not reported as impacted. 

• Detection or Alerting: External alert via a dark-web monitoring partner; internal detection details not disclosed. 

• Indicators of Compromise (IOCs): Not publicly disclosed (no hashes, IPs, domains, or access-key identifiers released).  

• Lateral Movement or Privilege Escalation: Not disclosed (no published evidence of cross-account movement or elevated IAM roles).  

• Attribution to a Threat Actor: No public attribution by Angel One; Reuters reporting does not name a group.

5. Nippon Life India Asset Management / Nippon India Mutual Fund (cyberattack causing prolonged outage

On Apr 9, 2025, Nippon Life India Asset Management reported a cyberattack and shut affected systems for investigation. Website and portal/app logins faced multi-day disruption, limiting online transactions. In outages like this, an ai driven soc as a service correlates application, network, and endpoint telemetry to pinpoint triggers, reduce noise, and monitor re-attack signals during restoration. By Apr 21, services were fully functional; intrusion method and data theft were unconfirmed. 

• Date of Incident: 9 Apr 2025 

• Affected Sectors: Financial services, specifically asset management and mutual funds 

• City / country: Mumbai, India 

• Source of attack: Cyberattack on IT infrastructure 

• Age: 275 days old as of 9 Jan 2026 

• Malicious Intent: Not confirmed; likely disruption and or data access, but motive was not disclosed. 

• Unauthorized Access: Confirmed incident involving a cyberattack on IT infrastructure; access details not disclosed.  

• Digital Target: IT infrastructure supporting website, portal login, and mobile app services. 

• Exploitation of Vulnerabilities: Not publicly disclosed (no CVE or misconfiguration published). 

• Use of Recognized Attack Vectors: Not publicly disclosed (no confirmed phishing, stolen credentials, exposed service, or malware family).  

• Impact on the CIA Triad: 

• Availability: Impacted; portal and digital channels were disrupted until restoration. 

• Confidentiality: Not confirmed publicly (no validated disclosure of data theft).  

• Integrity: Not disclosed.  

• Detection or Alerting: Company stated it became aware and then shut down affected systems; alert source not disclosed.  

• Indicators of Compromise (IOCs): Not publicly disclosed.  

• Lateral Movement or Privilege Escalation: Not publicly disclosed.  

• Attribution to a Threat Actor: No public attribution in the cited disclosures/reporting. 

6. Operation Sindoor-linked cyberattack wave

During Operation Sindoor (May 2025), coordinated cyber activity hit Indian government sites and critical infrastructure. Reports noted a ~19-hour DDoS on the President’s website and ~200,000 attempts against the power grid across IT/OT. In this surge, soc security services deliver 24/7 detection, anomaly correlation, and containment playbooks to maintain availability and flag escalation beyond probing. 

• Date of Incident: May 7–10, 2025 

• Affected Sectors: Government web portals and public services 

• City / country: India (nationwide); 

• Source of attack: Primarily DDoS/availability attacks and probing attempts 

• Age: 247 days old as of 9 Jan 2026  

• Malicious Intent: Service disruption and pressure during a conflict-linked escalation. 

• Unauthorized Access: Not confirmed for DDoS/probing; defacements imply unauthorized modification on some sites, but access paths are not specified. 

• Digital Target: President’s public website; power grid IT and OT; ministries; NIC data centres; defence research organisations; public-service portals. 

• Exploitation of Vulnerabilities: Not disclosed (no CVE or specific weakness published). 

• Use of Recognized Attack Vectors: DDoS; website defacement; “probing” against IT/OT without method detail. 

• Impact on the CIA Triad: 

• Availability: Primary impact (DDoS aimed to overwhelm services). 

• Integrity: Potentially impacted where defacements occurred (content alteration). 

• Confidentiality: Not established for this wave. 

• Detection or Alerting: Reported as spikes and volumes; specific SOC telemetry not described. 

• Indicators of Compromise (IOCs): Not published (no IPs, domains, hashes). 

• Lateral Movement or Privilege Escalation: Not reported. 

• Attribution to a Threat Actor: Described broadly as Pakistan-aligned groups; no single verified operator named. 

7. DDoS attack on Power Grid Corporation of India

On May 2, 2025, Power Grid Corporation of India faced a DDoS attack that disrupted its public website for over 31 minutes, impacting online services like bill payments and fault reporting, without compromising grid operations. In such events, a soc as service provider in India monitors edge and app telemetry 24/7, coordinates ISP or CDN filtering, and checks whether floods mask parallel intrusion attempts. Attack type and intrusion details were not disclosed. 

• Date of Incident: 2 May 2025. 

• Affected Sectors: Energy and critical infrastructure 

• City / country: Gurugram, Haryana, India  

• Source of attack: DDoS on the official website 

• Age: 252 days old as of 9 Jan 2026 

• Malicious Intent: Service disruption of public-facing digital services. 

• Unauthorized Access: Not established; DDoS does not require system access, and no access is described.  

• Digital Target: Public web front-end and associated online service endpoints.  

• Exploitation of Vulnerabilities: Not disclosed (no CVE or misconfiguration described).  

• Use of Recognized Attack Vectors: DDoS (specific technique not described). 

• Impact on the CIA Triad: 

• Availability: Impacted (temporary disruption to online services). 

• Integrity: Not reported.  

• Confidentiality: Not reported. 

• Detection or Alerting: Attack was identified and reported; detection source and telemetry are not described. 

• Indicators of Compromise (IOCs): Not published (no IPs, domains, hashes).  

• Lateral Movement or Privilege Escalation: Not reported. 

• Attribution to a Threat Actor: Not provided (no named actor/group).

8. Double DDoS attack on BSNL

On April 25–26, 2025, BSNL’s main website experienced two consecutive DDoS attacks, each lasting over 30 minutes. The attacks were reported as web front-end disruptions that affected BSNL’s online customer workflows. The website was described as inaccessible for several days, which disrupted bill payments, service requests, and customer support functions dependent on the public portal. The available reporting does not describe the traffic profile (volumetric vs application-layer), botnet infrastructure, or whether the DDoS attempts were paired with intrusion activity. No public details confirm data access, credential theft, or persistence inside BSNL internal systems for this specific DDoS incident.  

• Malicious Intent: Disrupt public-facing services and degrade customer access. 

• Unauthorized Access: Not established; DDoS typically does not require access, and no access is described.  

• Digital Target: BSNL public website and online service endpoints (payments, requests, support).  

• Exploitation of Vulnerabilities: Not disclosed (no CVE or weakness identified). 

• Use of Recognized Attack Vectors: DDoS (technique details not provided). 

• Impact on the CIA Triad: 

• Availability: Impacted (site inaccessible; online services disrupted).  

• Integrity: Not reported.  

• Confidentiality: Not reported. 

• Detection or Alerting: Not described (no monitoring source or alert timeline provided).  

• Indicators of Compromise (IOCs): Not published (no IPs, domains, hashes). 

• Lateral Movement or Privilege Escalation: Not reported.  

• Attribution to a Threat Actor: Not provided (no named group or operator).

9. Star Health (continuing cyber-extortion campaign tied to prior data leak)

Star Health faced escalating extortion in 2025 following an earlier customer-data leak. An actor using the alias “xenZen” claimed to send death threats and bullet cartridges to the CEO and CFO, linked to claim denials. The same alias was tied to prior exposure via chatbots and a leak site, plus a $68,000 demand. Intrusion method and verified record scope were unconfirmed. 

• Date of Incident: 9 May 2025 

• Affected Sectors: Health insurance  

• City / country: Chennai, India 

• Source of attack: Extortion and intimidation following a prior data breach 

• Age: 245 days old as of 9 Jan 2026 

• Malicious Intent: Extortion and intimidation to coerce payment or influence outcomes.  

• Unauthorized Access: Prior unauthorized exposure of customer data is reported; the 2025 phase centers on coercion and threats rather than newly confirmed system access.  

• Digital Target: Customer personal and medical data; insurer leadership communications and reputation. 

• Exploitation of Vulnerabilities: Not publicly confirmed (no disclosed CVE or misconfiguration). 

• Use of Recognized Attack Vectors: Data-leak distribution via chatbots/leak site; extortion emails and coercive messaging.  

• Impact on the CIA Triad: 

• Confidentiality: Impacted (reported exposure of sensitive customer data). 

• Integrity: Not established.  

• Availability: Not reported as impacted in this 2025 escalation.  

• Detection or Alerting: Escalation surfaced via direct communications and law-enforcement investigation; internal detection details are not public.  

• Indicators of Compromise (IOCs): Not publicly released (no hashes, IPs, or domains listed in the reporting cited here). 

• Lateral Movement or Privilege Escalation: Not publicly documented.  

• Attribution to a Threat Actor: Claimed by “xenZen” (self-asserted identity; not presented as a formally verified attribution).

10. Delhi hospitals (Sant Parmanand Hospital and NKS SuperSpecialityHospital) hacked 

On June 10–11, 2025, Sant Parmanand Hospital (Civil Lines) and NKS Super Speciality Hospital (Gulabi Bagh) reported server hacking that disrupted IT systems. Patient, financial, and administrative files were reportedly accessed. NKS said OPD and IPD workflows were disrupted, forcing manual processes. Delhi Police filed an FIR and engaged experts. Initial access method, encryption, and data exfiltration were unconfirmed. 

• Date of Incident: Night of 10–11 June 2025. 

• Affected Sectors: Healthcare (hospitals) 

• City / country: Delhi (New Delhi), India. 

• Source of attack: Server hacking / deliberate cyberattack 

• Age: 213 days old as of 9 Jan 2026 

• Malicious Intent: Disruption of hospital operations; possible data access (reported). 

• Unauthorized Access: Reported unauthorized access to hospital servers and sensitive files.  

• Digital Target: Hospital servers and systems holding patient information, administrative records, and financial documents.  

• Exploitation of Vulnerabilities: Not disclosed (no CVE or misconfiguration published).  

• Use of Recognized Attack Vectors: Not disclosed (no confirmed phishing, stolen credentials, exposed service, or malware family).  

• Impact on the CIA Triad: 

• Confidentiality: Potentially impacted (patient/financial/admin files reportedly accessed).  

• Integrity: Not established in reporting. 

• Availability: Impacted (digital access disruption; OPD/IPD workflows affected; manual fallback).  

• Detection or Alerting: Initially noticed as service disruption; later treated as cyberattack after IT-team investigation.  

• Indicators of Compromise (IOCs): Not publicly released (no IPs, hashes, domains, or filenames published).  

• Lateral Movement or Privilege Escalation: Not publicly disclosed.  

• Attribution to a Threat Actor: Not publicly attributed to a named group or individual.  

Conclusion 

2025 showed a clear pattern: attackers did not rely on a single technique. They mixed ransomware, extortion, cloud compromise, portal abuse, and disruption attacks like DDoS and website tampering to hit what matters most, service availability, sensitive data, and public trust. Some incidents were confirmed breaches. Others were claims under investigation. In both cases, the operational lesson is the same: reduce exposure, harden identity and cloud controls, and treat detection and response as continuous, not periodic. If 2025 was the year of scale and persistence, be aware in 2026. The next wave will move faster, target more dependencies, and punish slow containment. 

FAQs

1. How do we verify whether a ransomware group’s “data theft” claim is real?
   Validate with outbound network logs, identity and access logs, DLP alerts, and forensic triage of affected endpoints and servers.

2. What is the minimum evidence we should preserve in the first 24 hours after an incident?
   Freeze logs (SIEM, EDR, IAM, VPN, cloud), capture key system images where feasible, and maintain a time-stamped incident timeline.

3. What cloud controls reduce the chance of AWS resource compromise like exposed keys or IAM misuse?
   Enforce MFA, rotate and scope credentials, restrict IAM with least privilege, and alert on unusual access-key use and privilege changes.

4. What is the most practical way to reduce DDoS impact on public portals without rebuilding everything?
   Use CDN and WAF in front of portals, rate-limit critical endpoints, enable upstream filtering, and pre-stage a DDoS runbook with your ISP.

5. How do government portals reduce OTP diversion and account takeover risks tied to identity changes?
   Lock down change-of-mobile workflows with stronger verification, add device and admin action logging, and continuously monitor privileged activity.