Strategic Context
Balochistan's provincial government is the only remaining accessible provincial .gov.pk portal during wartime — Punjab, Sindh, and KPK are all down. This makes it the highest-value provincial target for intelligence collection.
| Metric | Value |
|---|---|
| Area | 347,190 km² — 44% of Pakistan's total territory |
| Population | ~12.3 million (least populated of the four provinces) |
| Strategic Role | CPEC corridor, Gwadar Port (China's Indian Ocean access) |
| Security Context | Active BLA insurgency zone; Afghan + Iranian border province |
| Wartime Role | Critical frontline province during Pakistan-Afghanistan conflict |
Single Admin Vulnerability — Critical Finding
One individual administers both the main provincial government website and the Science & IT Department website, creating a single point of failure for Balochistan's entire government web presence.
Cross-Site Admin Correlation
balochistan.gov.pk → admin_bal (ID 4)
sit.balochistan.gov.pk → admin (ID 1)
↓
SAME GRAVATAR HASH
49d835e800b2f8de9d230f39d1718274e0364b4aff0a72de4bd274d82dbbf38b
/wp-json/wp/v2/users exposes this gravatar hash for both sites. Because the Gravatar hash is an MD5 of the registered email address, the administrator's email is directly derivable via rainbow tables or breach database lookup — providing a direct phishing target with known identity.
| Site | Username | User ID | Gravatar Hash | wp-login.php |
|---|---|---|---|---|
| balochistan.gov.pk | admin_bal | 4 | 49d835e8...f38b (shared) | Accessible |
| sit.balochistan.gov.pk | admin | 1 | 49d835e8...f38b (shared) | Accessible (8.3 KB) |
| sit.balochistan.gov.pk | sitbalochistango | 5 | 5170d034...9ac (different) | — |
Exploitation Consequences
- Single point of failure — one compromised account = control of two government sites
- Password reuse probability — same person administering both sites likely reuses credentials
- Phishing target — gravatar hash → email address lookup → spear-phishing vector
- WordPress admin compromise — full CMS control, plugin backdoors, shell upload potential
Government Officials — Divisional Commissioners
Balochistan's eight divisions each have a commissioner serving as the senior civilian administrator for law and order, revenue collection, and disaster management. All eight were named in extracted WordPress content.
| Division | Commissioner | Geographic Significance |
|---|---|---|
| Quetta | Shahzaib Khan Kakar | Provincial capital; military HQ |
| Zhob | Mr. Zeeshan Javed | Afghan border zone (north) |
| Sibi | Mr. Zahid Shah | Gas pipeline corridor |
| Makran | Mr. Dawood Khan Khilji | Coastal; Iranian border; Gwadar |
| Naseerabad | Mr. Moin ur Rahman | Agricultural zone |
| Kalat | Mr. Muhammad Naeem Bazai | Central highlands |
| Rakhshan | Mr. Mujeeb Ur Rehman Qambrani | Western border; smuggling routes |
| Loralai | Mr. Saadat Hassan | Active BLA insurgency zone |
Gwadar Safe City Project — CPEC Surveillance
The Gwadar Safe City Project is a CPEC-linked surveillance and command-and-control initiative for the port city central to China's Indian Ocean strategy. Job vacancy pages exposed full staffing data.
PMU Gwadar — Technical Positions (298 Candidates Shortlisted)
| Position | Grade | Candidates Shortlisted |
|---|---|---|
| Legal Advisor | PPS 7 | 34 |
| Civil Engineer | PPS 7 | 22 |
| Software Engineer | PPS 7 | 24 |
| Network Engineer | PPS 7 | 18 |
| Electrical Engineer | PPS 7 | 29 |
| Radio Communication Engineer | PPS 7 | 25 |
| Admin Officer | PPS 6 | 64 |
| Account Officer | PPS 6 | 55 |
| Incharge Command & Control | PPS 6 | 27 |
| TOTAL | — | 298 |
GSC — Shift Operations Roles
| Position | Grade |
|---|---|
| Shift Incharge | PPS 5 |
| Technical Supervisor | PPS 5 |
| Account Assistant | PPS 5 |
| Computer Operator | PPS 5 |
| Technician | PPS 2 |
| Generator Operator | PPS 2 |
The "Incharge Command & Control" position confirms centralized surveillance operations. Software, network, and radio communication engineers indicate digital C2 capability. The 298 named shortlisted candidates represent the full technical staffing pipeline for a system designed to monitor one of China's most strategically significant overseas infrastructure assets.
Budget & Financial Data (2020–2026)
The WordPress media API exposes direct download URLs for provincial budget documentation spanning six fiscal years.
- PSDP Documents (Public Sector Development Programme) — 2020–2026
- White Papers — provincial budget justification and policy rationale
- Volumes I–VIII — detailed budget breakdowns by department
- Budget Speeches — political priorities and government commitments
- Annual Budget Statements — revenue and expenditure accounts
Each document URL is a direct unauthenticated download link from the WordPress media library, containing original filenames with upload timestamps.
Departmental Legislation Exposed
WordPress pages contain full text or direct references to legislation governing 14 departments:
| Department | Acts/Rules Available |
|---|---|
| Board of Revenue | Revenue rules and land administration |
| Forest & Wildlife | Environmental protection regulations |
| Home & Tribal Affairs | Security and tribal governance |
| Industries & Commerce | Industrial policy |
| Irrigation | Water resource management |
| Law & Parliamentary Affairs | Legal framework documentation |
| Labour | Employment regulations |
| Food | Food security and distribution |
| Information | Media and communications law |
| Prosecution | Criminal justice framework |
| Population Welfare | Family planning and welfare |
| Planning & Development | Development planning framework |
| Mines & Minerals | Resource extraction (critical for Balochistan's economy) |
| Local Government | Municipal governance structure |
Dual TLD Confusion — Impersonation Risk
Balochistan operates government services across two top-level domains simultaneously: .gov.pk and .gob.pk. This inconsistency creates a direct impersonation and phishing vector.
| URL | TLD | Service |
|---|---|---|
| balochistan.gov.pk | .gov.pk | Main provincial government portal |
| cm.balochistan.gob.pk | .gob.pk | Chief Minister complaint portal |
| digibizz.gob.pk | .gob.pk | Youth freelancing program |
| btevta.gob.pk | .gob.pk | Technical/vocational education |
| estamping.gob.pk | .gob.pk | Legal document digitization |
| finance.gob.pk | .gob.pk | Finance department (AI chatbot) |
| homedept.balochistan.gob.pk | .gob.pk | Home department |
Citizens conditioned to trust .gob.pk domains for Balochistan services are potentially unable to distinguish them from typosquat domains. A threat actor registering balochistan.gob.pk.example.com or similar could intercept citizen interactions.
WordPress Content Summary
| Metric | balochistan.gov.pk | sit.balochistan.gov.pk |
|---|---|---|
| Pages | 149 | 30 |
| Posts | 12 | 8 |
| Media Items | 1,297 (4.6 MB metadata) | 159 |
| Categories | 5 | 4 |
| CMS/Plugins | WordPress + Elementor | WordPress |
| wp-login.php | Accessible | Accessible (8.3 KB) |
| API Schema | 235 KB | 247 KB |
robots.txt Note
The balochistan.gov.pk robots.txt explicitly blocks AI crawlers including ClaudeBot, GPTBot, Google-Extended, Bytespider, and Applebot-Extended. It also contains Cloudflare Managed Content signals: ai-train=no. Despite this, the WordPress REST API is completely unprotected — robots.txt applies only to polite crawlers, not targeted API enumeration.
Risk Assessment Summary
| Risk Factor | Rating | Detail |
|---|---|---|
| Single admin across two sites | CRITICAL | One compromised account = 2 government sites down/owned |
| wp-login.php accessible (both) | HIGH | Direct brute-force / credential-stuffing target |
| 298 Gwadar candidates exposed | HIGH | CPEC surveillance personnel pipeline data |
| 8 divisional commissioners named | HIGH | Senior civilian administrator directory |
| Budget documents accessible | HIGH | Provincial financial strategy and allocations |
| Dual TLD confusion | MEDIUM | Impersonation/phishing surface for citizens and officials |
| Legislation content exposed | MEDIUM | Regulatory framework across 14 departments |