Cyber Threat Actor: TAG-28

TAG-28 is a Chinese state‑sponsored threat actor that operates under the alias TAG-28 and is known to focus on gathering intelligence from targets in the Indian subcontinent. Public reporting identifies the group as a unit linked to the Chinese state, with its activities traced by Recorded Future investigators to a series of cyber intrusions against Indian organizations. The actor’s strategic objective, as explicitly stated in the source material, is intelligence collection rather than financial gain or disruption. Its known targeting includes media organizations and national identity databases, specifically the Bennett Coleman And Co Ltd (BCCL) which publishes The Times of India and the Unique Identification Authority of India (UIDAI) that manages the Aadhaar biometric system. These targets reflect an interest in both journalistic communications and large‑scale personal data repositories.

In February 2021 Recorded Future attributed a breach of BCCL’s network to TAG-28, noting that approximately 500 MB of data was transferred to an off‑site server controlled by the attackers. The same reporting describes a separate intrusion into UIDAI’s Aadhaar database, suggesting that the accessed biometric information could serve as training data for artificial intelligence initiatives or be used to identify high‑value individuals for further espionage. While the articles do not detail specific malware families, initial access vectors, or tooling employed by TAG-28, they emphasize the group’s capability to exfiltrate sizable datasets from high‑profile Indian targets. The activity occurred amid heightened tensions following border clashes between Chinese and Indian forces, though the reporting does not assign a direct motivational link to those events for TAG-28. Overall, the confirmed facts portray TAG-28 as a state‑backed intelligence‑focused actor that has conducted data‑theft operations against media and biometric infrastructure in India.