Cyber Incident Victim: Bennett Coleman And Co Ltd
Date:
Feb 2021
Location:
India
Summary
A China-linked threat group known as TAG-28 conducted cyber intrusions targeting Bennett Coleman And Co Ltd (BCCL), India's largest media conglomerate, and the Unique Identification Authority of India's biometric database. The attack against the media organization resulted in approximately 500 MB of data exfiltrated to attacker-controlled servers, potentially compromising unpublished content and journalistic sources. The breach of the national identification system risked exposure of sensitive biometric records including fingerprints and retina scans, which could enable identity-based attacks, social engineering, or enrich artificial intelligence training datasets. These operations aligned with historical patterns of Chinese state-sponsored actors targeting media entities to influence narratives and harvesting bulk personally identifiable information for strategic intelligence purposes.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In February 2021, China-linked threat actors designated as TAG-28 conducted cyber intrusions against Bennett Coleman And Co Ltd (BCCL), India’s largest media conglomerate, and the Unique Identification Authority of India (UIDAI), which manages the Aadhaar biometric identification system. The attacks were attributed to a Chinese state-sponsored unit focused on intelligence collection across the Indian subcontinent. During the breach of BCCL, approximately 500 MB of data was transferred to attacker-controlled servers. While the exact content exfiltrated from BCCL’s networks remained unconfirmed, investigators noted the compromised systems contained sensitive journalistic materials, including unpublished articles about China, reporter notes, and source communications. BCCL publishes The Times of India, which had extensively covered border clashes between Indian and Chinese troops in the Galwan Valley in 2020 and subsequent cyber operations like RedEcho and RedFoxtrot targeting Indian infrastructure. The intrusion aligned with historical patterns of Chinese state-sponsored attacks on media organizations perceived as publishing unfavorable coverage of China, including prior incidents against the New York Times, Washington Post, and Hong Kong pro-democracy outlets.
The parallel breach of UIDAI’s systems risked exposure of India’s Aadhaar database, containing biometric identifiers such as fingerprints, iris scans, and photographs for approximately 1.2 billion Indian citizens. Analysts assessed the biometric theft served dual purposes: enriching China’s artificial intelligence training datasets for facial and pattern recognition capabilities, and enabling potential identity-based attacks. The centralized nature of Aadhaar—used for accessing government services, welfare programs, and authentication systems—amplified risks of social engineering, extortion, or credential misuse by threat actors. Recorded Future’s investigation could not confirm definitive data compromise from UIDAI but highlighted systemic vulnerabilities, including past incidents of accidental public exposure of Aadhaar records on government websites. Neither BCCL nor UIDAI officials publicly acknowledged the breaches or disclosed containment measures, while the Chinese government did not respond to inquiries about the alleged operations. The incidents exemplified ongoing cyber espionage campaigns intersecting with geopolitical tensions following the 2020 border conflict.