Nepal’s Digital Crisis: How Cyberattacks Are Crippling Government and Educational Websites

Nepal’s journey into the digital age has been a double-edged sword. While e-governance and digital services promise a more efficient future, a wave of cyberattacks has exposed the country’s profound cybersecurity vulnerabilities. In recent years, and particularly throughout 2024 and 2025, government and educational websites have become prime targets, leading to a digital crisis that threatens national security, public trust, and vital services.

A Troubling Trend: The Recent Attacks

Recent data and news paint a concerning picture. Multiple incidents in 2024 and 2025 have highlighted systemic failures in Nepal’s digital infrastructure.

• DDoS Attacks on Critical Infrastructure: In early 2024, Nepal’s main government server was hit by a massive Distributed Denial of Service (DDoS) attack. The attack overwhelmed the Government Integrated Data Center (GIDC), causing over 400 government websites—including critical portals for immigration, passport services, and land administration to go offline for hours. This incident not only disrupted services but also caused chaos at major entry points like the Tribhuvan International Airport. Experts found that many of these portals lacked basic security measures like firewalls and rate-limiting features, making them “easy prey.”
• Educational Sector Breaches: The educational sector has not been spared. In a particularly alarming incident in July 2025, the website of the Ministry of Education was compromised. Hackers gained unauthorized access to internal systems and leaked the personal data of thousands of students and employees. The stolen information, including names, phone numbers, and academic records, was then shared on Telegram channels and dark web forums, exposing a critical failure in data protection.
• Government Data Leaks: The Office of the Prime Minister and Council of Ministers has also faced intrusion attempts. A threat actor on the dark web forum “Ghudra” allegedly put a database backup from the office up for sale for $1,000, along with “live shell access” for $1,300. This suggests attackers exploited vulnerabilities to gain persistent remote control. This incident, while unconfirmed by officials, serves as a stark reminder of the sensitive data at risk.

Why Is Nepal So Vulnerable?

Nepal’s digital crisis is not merely a result of sophisticated external threats; it’s largely a consequence of internal weaknesses.

• Outdated Technology and Lack of Maintenance: Many government and educational websites run on legacy systems with outdated software and weak protocols. The absence of regular security audits and timely updates leaves them open to basic SQL injection and brute-force attacks.
• Lack of Centralized Security: There is a notable lack of a cohesive, centralized strategy for cyber defense. Despite the creation of the National Cyber Security Centre (NCSC) and the issuance of a 102-point advisory in January 2025, compliance is inconsistent. Each department often handles its own security, leading to a fragmented and ineffective defense.
• Low Digital Literacy and Awareness: A significant portion of the population and even IT staff lack basic cybersecurity awareness. This makes them susceptible to social engineering attacks like phishing, which are often the entry point for more serious breaches. The misuse of digital platforms and the lack of digital literacy create an environment ripe for exploitation.

The Path Forward: From Crisis to Resilience

Addressing this crisis requires more than just reactive measures. A proactive, multi-pronged approach is essential.

1. Strengthening Legal Frameworks: The current Electronic Transaction Act (ETA) of 2008 is outdated and inadequate for addressing modern threats like deepfakes and advanced persistent threats (APTs). Nepal must fast-track new legislation, such as the draft Cybersecurity Bill, that defines cybercrimes clearly, mandates security standards, and requires timely public disclosure of data breaches.
2. Investing in Local Talent and Infrastructure: Instead of relying on foreign vendors, Nepal should invest in local tech startups and talent. Building and hosting critical government services on secure, locally-developed platforms can reduce foreign dependency and potential backdoor risks.
3. Mandatory Security Audits: The government must enforce mandatory, regular security audits for all public sector and critical infrastructure websites. This includes penetration testing to identify and patch vulnerabilities before they can be exploited.
4. Promoting Digital Literacy: Nationwide campaigns and workshops are needed to educate government employees, students, and the public on safe online practices. This includes promoting the use of strong passwords, multi-factor authentication (MFA), and the ability to recognize phishing attempts.

Nepal’s digital crisis is a wake-up call. As the country aims to transform into a digital hub, securing its cyber borders must be prioritized as seriously as its physical ones. The time for half-measures is over; only a concerted, national effort will build the digital resilience needed to safeguard its future.