ISLAMABAD: The Ministry of Information Technology and Telecommunications has admitted that the country has faced several major cyberattacks and data leaks in recent years.
In a report submitted to the National Assembly, the Ministry however, said that complete details could not be shared through this channel due to the sensitive nature of the issue, adding that full information could be provided in a closed-door briefing. The report noted that, due to the lack of dedicated human resources, technical expertise, effective monitoring systems, and a generally weak security posture, many cyber incidents either go undetected or are not reported at the institutional level.
In detailing major cybersecurity breaches, the Ministry cited several incidents of concern. One such incident involved the Oil and Gas Development Company Limited (OGDCL), where unauthorised access was gained to the core data centre infrastructure, resulting in the deletion of 21 virtual servers. Operations were eventually restored after a three-day recovery effort from the disaster recovery (DR) site.
Another serious breach occurred at the National Telecommunication Corporation (NTC), where an advanced persistent threat (APT) group compromised the Zimbra FOSS email platform. The attacker maintained persistent access and impersonated internal users via email. A separate incident involving the National Information Technology Board (NiTB) saw the compromise of high-level user accounts across several federal ministries. Additionally, the Ministry of Foreign Affairs (MOFA) was targeted in a cyberattack involving persistent outbound connections to known Command and Control (C2) infrastructure.
The Ministry of Information Technology and Telecommunications identified several root causes for these incidents. They included the lack of resource allocation for cybersecurity, particularly the absence of dedicated human resources and funding. It also pointed to inadequate oversight and commitment from senior management, the absence of an effective governance structure and comprehensive cybersecurity policies, as well as the non-existence of dedicated security personnel and risk mitigation protocols.
To address these systemic issues, the Ministry outlined a strategic framework for securing Pakistan’s cyberspace. It noted the formalisation of the CERT Rules 2023, which established the structure and operational framework for Cyber Emergency Response Teams (CERTs). A national-level CERT (nCERT) has been established as the central body for coordinating incident response and cyber threat intelligence sharing. Furthermore, the National Security Operations Centre (NSOC) and CERT Directorate have been tasked with monitoring, reporting, and responding to cyber incidents. This body leverages multiple intelligence streams to detect threats and coordinates swift containment, mitigation, and recovery efforts.
The Ministry also informed the National Assembly that the federal government has approved the establishment of six provincial CERTs and three sectoral CERTs, with formal notification expected soon. In addition, a comprehensive multi-tier awareness and capacity-building programme has been launched to strengthen cybersecurity skills within ministries and departments. The operationalisation of the NSOC under nCERT is nearing completion. A robust ecosystem for audit and compliance has also been developed, which includes oversight by respective CERTs and third-party audits conducted by registered firms.
To further improve cybersecurity readiness, the Ministry recommended the allocation of dedicated human and financial resources to implement initiatives effectively. It proposed appointing a senior cybersecurity lead, at the BPS-20 level, to head cybersecurity efforts and report directly to senior management. Additionally, the Ministry stressed the need for a comprehensive governance structure, clearly defined roles and responsibilities, and the implementation of cybersecurity policies, procedures, and standards.
They should be in line with the guidelines and instructions issued by nCERT. A robust ecosystem of internal and external audits should be designed, implemented, and maintained in line with financial audits to identify gaps and areas for improvement.