Pakistan's federal digital infrastructure is centralized around a small number of critical systems managing national identity, government telecommunications, tax revenue, and citizen services for 220+ million people. During the Pakistan-Afghanistan war, virtually all of these systems are offline or access-restricted — but their architecture, attack surface, and historical breach data remain fully documented from pre-war reconnaissance.
1. NADRA — National Database & Registration Authority
NADRA manages the national identity database for 220+ million Pakistani citizens, including Computerized National Identity Cards (CNIC/NICOP), biometric data (fingerprint and facial), voter registration, and citizen verification services.
Wartime Platform Status
| Platform | URL | Purpose | Status |
|---|
| Pak-ID App | id.nadra.gov.pk | National SSO (OAuth 2.0 + OIDC) | 500 — "URL blocked" |
| Nishan API | nishan.nadra.gov.pk | Developer API platform | 403 — Access Denied |
| e-Sahulat | esahulat.nadra.gov.pk | Franchise network (12,000+ locations) | DOWN |
| e-Services | eservices.nadra.gov.pk | Online citizen services | DOWN |
| Digital ID | nadra.gov.pk/digitalId | Digital ID portal | 404 |
Nishan API Stack — Documented Capabilities
| API | Function | Auth Required |
|---|
| Verisys | Demographic verification (name, DOB, address vs CNIC) | Company credentials + API key |
| Biosys | Biometric fingerprint verification against NADRA database | Company credentials + API key |
| Multi-biometric | Fingerprint + facial recognition combined | Company credentials + API key |
| Proof-of-Life | Liveness detection (anti-spoofing) | Company credentials + API key |
| Batch Verification | Bulk CNIC verification for enterprise | Company credentials + API key |
| SSO | Single sign-on integration for third-party apps | OAuth 2.0 + OIDC |
CNIC Number Structure — Intelligence Value
Every Pakistani Computerized National Identity Card number encodes geographic and demographic information in a predictable 13-digit format:
Format: ABCDE-XXXXXXX-M (13 digits total)
Position 1: Province code
1=KPK 2=FATA 3=Punjab 4=Sindh 5=Balochistan 6=Islamabad 7=Gilgit-Baltistan
Positions 2-5: Division → District → Tehsil → Union Council (hierarchical)
Positions 6-12: Family tree identifier (sequential within locality)
Position 13: Gender (odd = male, even = female)
A CNIC number alone reveals the holder's province, division, district, tehsil, union council, family lineage number, and gender — enabling geographic correlation and demographic profiling from ID numbers alone.
Historical Breaches
| Incident | Date | Impact |
|---|
| NADRA Insider Breach | 2019–2024 (disclosed 2024) | 2.7M citizen records stolen by NADRA employees in Karachi, Multan, Peshawar offices; sold on dark web to buyers in Argentina and Romania; fraudulent IDs issued to Afghan nationals |
| Afghan Cyber Army | 2025 | 100 high-profile .gov.pk sites defaced; NADRA homepage replaced with message about Afghan refugees |
2. NTC — National Telecommunication Corporation
NTC provides telecommunications services to Federal and Provincial Governments, the Armed Forces, and defense projects. Its webmail system serves as the email backbone for the entire Pakistani federal government.
Wartime Service Status
| Service | URL | Status |
|---|
| Main Site | ntc.net.pk | Intermittent |
| Cloud/Data Center | cloud.gov.pk | DOWN |
| Domain Registration | register.ntc.net.pk | DOWN |
| Government Webmail (Zimbra) | mail.ntc.net.pk | DOWN |
| PKI Portal | ntc.pki.gov.pk | 503 Service Unavailable |
Single Point of Failure: mail.ntc.net.pk (Zimbra) is the email system for the entire Pakistani federal government. Its wartime outage disrupts inter-agency communication across all ministries. If restored and compromised, a single Zimbra instance would provide access to federal government email for every ministry simultaneously.
NTC Services Portfolio
- Basic Telephony, Green Lines (secure government lines)
- Broadband Internet for government institutions
- Federal email, intranet, and data center solutions (Tier-III, ISO 27001 certified)
- Video conferencing, VPN, radio wireless networking
- SMS, call center services
- PKI certificates (code signing, SSL for .gov.pk domains)
3. NITB — National Information Technology Board
NITB is responsible for digitizing Pakistan's government operations at federal scale.
Scale
- 500+ digital initiatives under management
- 31 government portals
- 15 mobile applications
- Pakistan Citizen Portal (AI-powered grievance redressal across all agencies)
Key Platform Status
| Platform | URL | Purpose | Status |
|---|
| Central Dashboard | cd.nitb.gov.pk | Digital services monitoring dashboard | DOWN |
| Login Portal | bit.nitb.gov.pk | Government authentication gateway | DOWN |
| PMRRP | pmrrp.nitb.gov.pk | Project management and reporting | DOWN |
| Pakistan Citizen Portal | web.citizenportal.gov.pk | Federal/provincial complaints routing | Accessible (wartime) |
Upcoming: DEEP Super App
The Digital Economy Enhancement Project (DEEP), funded by the World Bank and led by NADRA under the Ministry of Interior, is a planned unified gateway for all federal and provincial services. As of February 2026, it was advancing toward launch — the war has since interrupted this timeline.
- Features: Digital wallet, biometric verification, AI guidance, cashless payments
- Integrations: NADRA, NTC, HEC, MOFA, Ministry of Interior
- Significance: When launched, a single platform would hold biometric + financial + travel + education data for 220M citizens
4. FBR — Federal Board of Revenue
FBR manages Pakistan's tax revenue collection through the IRIS 2.0 (Integrated Revenue Information System) and the PRAL API for enterprise bulk filing.
| Service | URL | Status |
|---|
| IRIS Portal | iris.fbr.gov.pk | DOWN |
| Downloads | download1.fbr.gov.pk | DOWN |
| PRAL API | pral.com.pk | DOWN |
PRAL API capabilities (documented pre-war): Bulk income tax return filing, withholding statement submission, bulk sales tax invoice submission, POS integration, data validation, IP whitelisting + security tokens, sandbox testing environment.
5. Other Critical Infrastructure
SBP — State Bank of Pakistan
| Service | URL | Status / Notes |
|---|
| Main Site | sbp.org.pk | DOWN |
| EasyData | easydata.sbp.org.pk | 301 → Oracle APEX behind MS IIS ARR/3.0 + Cloudflare; APIs return 401 |
| Raast | — | UPI-like instant payment system (status unknown) |
PTA — Pakistan Telecom Authority
| Service | URL | Status |
|---|
| DIRBS | dirbs.pta.gov.pk | Device identification system |
| Complaints | complaint.pta.gov.pk | DOWN |
| WMS | wms.pta.gov.pk | Web monitoring system |
HEC — Higher Education Commission
| Finding | Detail |
|---|
| Main Site | hec.gov.pk — 301 redirect to www |
| ePortal | eportal.hec.gov.pk — HTTP only, 302 redirect |
| .git/HEAD probe | hec.gov.pk/.git/HEAD returns 500 (not 404) — server-side error suggests a Git repository exists on the server |
A 500 response on /.git/HEAD rather than a 404 is a significant indicator that a Git repository may be present on the production server. If the .git/ directory is accessible, it could expose full source code, commit history, credentials in configuration files, and internal API endpoints.
SUPARCO — Space & Upper Atmosphere Research Commission
| Service | URL | Status |
|---|
| Main Site | suparco.gov.pk | 200 OK (Apache, HTTPS) |
| Disaster GIS | disasterwatch.sgs-suparco.gov.pk | HTTP only (no TLS) |
6. PKI Infrastructure
NTC manages Pakistan's government PKI (Public Key Infrastructure). Its wartime outage has broader consequences beyond email:
| Service | URL | Status |
|---|
| PKI Portal | ntc.pki.gov.pk | 503 |
| Code Signing Repository | ntc.pki.gov.pk/repository/Code_Signing_Certificate.html | 503 |
- Government digital signatures for official documents are disrupted
- Code signing for government-distributed software is unavailable
- SSL/TLS certificate issuance for new .gov.pk subdomains is blocked
7. CMS & Framework Distribution
| CMS/Framework | Sites Identified | Examples |
|---|
| WordPress | 3+ | QAU, Balochistan, SIT Balochistan |
| Drupal | 2+ | LUMS, AIOU |
| ASP.NET / IIS | 2+ | Pakistan Post (ep.gov.pk), HEC |
| Oracle APEX | 1 | SBP EasyData |
| Laravel (PHP) | 1 | UOS (University of Sargodha) |
| CKAN | 1 | opendata.com.pk |
8. Network Infrastructure
| Metric | Value |
|---|
| Total ASNs | 213 |
| Total IPs | 5,646,592 (~5.7 million addresses) |
| Largest ISP | Pakistan Telecommunication Company (AS17557) |
| Global IP Ranking | #51 / 249 countries |
9. Historical Breach Timeline
| Date | Incident | Impact |
|---|
| 2019–2023 | NADRA insider data theft | 2.7M citizen records stolen across 3 offices |
| 2024 | NADRA breach public disclosure | Data confirmed sold to dark web buyers in Argentina, Romania |
| 2025 | Global credential breach | 180M Pakistani internet user credentials exposed |
| 2025 | SIM data leak | Federal ministers and officials' call/SIM metadata leaked |
| 2025 | Afghan Cyber Army campaign | 100 high-profile .gov.pk sites defaced simultaneously |
| 2025 | Cloudflare outage cascading failure | Nationwide service disruption (heavy CF dependency) |
10. Post-Wartime Priority Targets
When Pakistan's infrastructure comes back online after the conflict, the following represent the highest-value targets based on this reconnaissance assessment, ranked by intelligence yield and breach potential.
| Priority | Target | Rationale |
|---|
| #1 | mail.ntc.net.pk (Zimbra) | All federal government email on one system — total communications access |
| #2 | nishan.nadra.gov.pk | National identity API — biometric verification for 220M citizens |
| #3 | iris.fbr.gov.pk | Tax revenue system — financial data for all Pakistani taxpayers |
| #4 | cloud.gov.pk | NTC Tier-III data center — federal data hosting |
| #5 | web.citizenportal.gov.pk | Citizen complaints across all agencies — internal routing data |
| #6 | hec.gov.pk (/.git/HEAD) | Potential source code disclosure via exposed .git directory |
| #7 | easydata.sbp.org.pk | State Bank financial data (Oracle APEX) — economic intelligence |
| #8 | mofa.gov.pk | Foreign Affairs Ministry — no WAF detected |