Nepal’s Digital Collapse: The Government’s Cyber Crisis and Path to Recovery

In a catastrophic wake-up call to Nepal’s digital governance, more than 400 government websites including vital services such as immigration, passport issuance, customs and ministry portals, collapsed under a powerful cyber onslaught in March 2025. Hosted within the Government Integrated Data Centre (GIDC) at Singha Durbar and managed by the National Information Technology Centre (NITC), these sites became inaccessible as the broader infrastructure buckled, exposing systemic flaws in Nepal’s cybersecurity posture.

The assault began unexpectedly on a weekend afternoon and persisted for several hours. Automated immigration verification systems failed, compelling officers at Tribhuvan International Airport to revert to manual passport and visa checks. This shift triggered long queues and delays lasting up to three hours for international flights, disrupting arrivals and departures at both the domestic and international terminals. Only after technicians disallowed external traffic to the core GIDC servers did partial service restoration occur but the damage to public confidence had already set in.

This crisis was not isolated. In January 2023, a Distributed Denial of Service (DDoS) attack overwhelmed the same infrastructure, taking down approximately 1,500 government websites and paralysing immigration operations for nearly four hours. Earlier cyber incidents in 2024 similarly incapacitated hundreds more, and recurring service outages became a distressing pattern, revealing how vulnerable Nepal’s centralised hosting model remained to distributed attacks.

Following the March 2025 outage, a hacker collective known as ShadowLeak announced their possession of a backup database from the Office of the Prime Minister and Council of Ministers. Purportedly containing around 100,000 rows of personal data, the database was marketed on darknet forums for roughly $1,000, with offers of live shell access to internal servers priced at $1,300. These claims pointed to potential system infiltration beyond surface-level disruption, suggesting attackers had escalated their tactics to gain persistent access.

Nepal’s rapid digital expansion has amplified its exposure. By early 2025, widespread broadband and mobile internet connectivity had brought more than 90% of Nepali households online. With this deepening reliance on e-government platforms and online banking services, reported cybercrime incidents nearly tripled between 2019 and 2023, as noted by law enforcement cyber bureaus. This rise in threats coincides with structural weaknesses: shared hosting environments, outdated/unpatched applications, poor network segmentation, minimal encryption, and underfunded incident response teams across agencies.

Despite the National Cybersecurity Centre issuing a comprehensive 102-point advisory in January 2025, mandating practices like multi-factor authentication, quarterly password rotation, annual penetration testing, SSL enforcement, data backup protocols, and network isolation, adoption remains inconsistent. Many agencies struggle due to resource limits, technical skill gaps and lack of internal cybersecurity awareness. Consequently, formal compliance with server hardening and audit requirements is sporadic at best.
Exploitation methods frequently target easily avoidable vulnerabilities. Structured Query Language (SQL) injection attacks particularly Boolean-based techniques account for over 65% of reported breach cases in Nepal, allowing attackers to extract or manipulate backend databases through unvalidated inputs. In parallel, simple credential-stuffing attacks and phishing campaigns remain pervasive, exploiting human error rather than technical complexity. The prevalence of shared servers without intrinsic DDoS protection amplifies the impact of traffic-based attacks, causing widespread outages with minimal effort.

Analysts warn that future incidents are likely to transition from denial-of-service to data theft or persistent infiltration. Attackers are expected to bypass weak authentication, pivot laterally within agency networks via privilege escalation, and stealthily exfiltrate sensitive data through encrypted tunnels or DNS-based channels. With limited real-time monitoring and no zero-trust architecture, internal movement often goes unnoticed until exfiltration is complete.

Preventing such catastrophes requires a sweeping overhaul. Immediate measures include deploying enterprise-grade DDoS mitigation and load balancing systems, segmenting network zones with micro perimeters, enforcing zero trust access controls, encrypting both data at rest and in transit, and instituting routine third-party penetration testing and red team simulations. Dark web monitoring should be institutionalised to detect credential leaks, while formal incident-response protocols and business continuity plans must be mandated across all ministries and agencies.

Long-term resilience, however, hinges on a shift in organisational culture. Strengthening institutional bodies such as CERT NP and ITSERT NP, increasing cybersecurity budgets, and mandating compliance via enforceable legal frameworks are key. Agencies must reduce over-reliance on contractors by retaining source code ownership and developing in-house technical capacities. Regular public audits and transparency reports can foster accountability and build citizen trust in digital services.

Ultimately, Nepal’s repeated government system outages represent more than technical failures; they signify an erosion of public trust in governance by digital means. In a rapidly evolving threat landscape, securing systems is no longer optional. It is imperative that Nepal not only patches vulnerabilities but reformulates its entire approach: from infrastructure investments to governance, talent and regulation. Only then can it transform digital vulnerability into a foundation for secure, reliable and resilient government services.