Thiruvananthapuram, Jan 21,2026: Some of the most consequential cyber operations underway today do not look like attacks at all. They cause no immediate disruption, trigger no alarms and may remain invisible for years.
Their strategic value lies not in what they do at the moment, but in what they quietly make possible. Modern cyber conflict, security analysts say, is increasingly prepared long before it is ever revealed.
“This reality came sharply into focus with the widely reported Lebanon pager incident. Communication devices that appeared simple, benign and technologically unremarkable were later activated in a coordinated manner, causing physical harm without any indication of real-time hacking,” K.S. Manoj, a cyber-physical systems security expert associated with Intelegrid said.
Subsequent international reporting suggested that the decisive compromise may have taken place much earlier, during the design, manufacture or distribution of the devices.
For analysts, the episode illustrated a growing shift in how conflict unfolds: modern attacks may be embedded and positioned well before they are triggered.
Security experts describe this approach as pre-positioned cyber operations, a strategy centred on the covert establishment of persistent or dormant access within systems, devices or infrastructure, without immediate activation.
Unlike conventional cyber attacks that seek instant impact, pre-positioning focuses on long dwell times, minimal forensic traces and activation only when strategic or geopolitical conditions warrant it. In many cases, such access is never used. Its value lies in the option it provides rather than in execution itself.
The Lebanon pager case is also significant because it demonstrates how cyber operations are expanding beyond digital networks into supply chains and physical objects.
By compromising systems upstream, before a device is ever deployed, attackers can bypass traditional cyber defences altogether.
Analysts note that this means systems do not need to be online to carry risk, cyber actions and physical effects can be separated by long time gaps, and trust in manufacturing and procurement has become a critical vulnerability.
These dynamics blur the boundary between cyber and physical security and complicate detection, attribution and response.
India offers a useful lens through which to examine these trends. As a large and rapidly digitising economy with complex infrastructure and deep reliance on global supply chains, it reflects challenges increasingly faced by many countries.
Investigations following the 2020 Mumbai power disruption identified advanced malware linked to grid-related systems, with indications that elements of the intrusion may have occurred months earlier.
While no definitive attribution of the outage to cyber sabotage was established, analysts observed that the timeline was consistent with pre-positioned access rather than a sudden intrusion.
A similar pattern emerged in 2019, when malware was detected on systems associated with the Kudankulam nuclear facility.
The incident showed evidence of access without activation. In nuclear and other high-consequence environments, analysts note that restraint itself can be strategic, as access may carry value even if it is never exercised.
The Mumbai power disruption occurred during a period of heightened India–China military tensions following the Galwan Valley clash. Analysts caution that coincidence in timing does not establish causation, particularly when infiltration appears to predate visible events.
The sequence nonetheless illustrates why timing alone has become an unreliable indicator of cyber intent in an era defined by dormant, long-term access.
Recent launch vehicle anomalies in India have also prompted discussion among security and engineering experts.
While there is no public evidence linking such incidents to cyber sabotage, specialists argue that failure analysis for high-consequence aerospace systems increasingly needs to incorporate cyber-physical and supply-chain risk models alongside conventional engineering and procedural factors.
In parallel, India has experienced a rise in reports of GPS spoofing and navigation interference affecting aviation, maritime operations and unmanned systems.
Such incidents, widely documented in other regions, are increasingly viewed as part of a broader category of geographically bounded or “geofenced” cyber-electronic activity, in which effects are limited to specific locations and time windows.
Following post-Sindoor security operations, analysts note that such selective cyber and electronic interference has come under closer scrutiny, even as attribution remains difficult and public evidence limited.
Taken together, these developments reinforce a central concern among security experts: modern cyber risk is no longer defined solely by visible attacks or system failures, but by silent access, localised interference and capabilities that may remain dormant or be activated selectively, complicating detection, attribution and response.
India’s experience mirrors developments elsewhere. Authorities in the United States have acknowledged that foreign actors maintained long-term access to parts of critical infrastructure without causing outages. In Ukraine, years of dormant cyber access preceded cyber-physical attacks once conflict escalated.
Security assessments across regions indicate that state-aligned cyber groups from multiple countries, including China and North Korea, have demonstrated advanced capabilities in stealthy infiltration, long-term persistence and supply-chain compromise.
Analysts note that patience and restraint, rather than frequent disruption, are increasingly defining features of such operations.
At the same time, experts caution against over-attribution. Aerospace failures, aviation incidents and industrial accidents are complex events with multiple potential causes, and cyber sabotage should not be assumed without evidence.
The deeper challenge lies in limited visibility, namely the difficulty of knowing what access may already exist, inactive and undetected.
Pre-positioned cyber operations are forcing a rethink of security itself. Traditional defences such as firewalls and monitoring systems remain necessary but are no longer sufficient on their own.
Increasingly, resilience depends on deeper supply-chain scrutiny, cyber-informed engineering and independent investigation of cyber-physical incidents. In this environment, deterrence is shaped as much by what remains silent as by what becomes visible.
The Lebanon pager incident ultimately serves as a reminder that modern conflict may be shaped long before any attack is perceived. As cyber operations extend into devices, supply chains and physical systems, the central security question is no longer simply who attacked, but what capabilities may already be embedded, and whether they can be detected before they are ever used.
