Cyber Incident Victim: Unique Identification Authority of India
Date:
Feb 2021
Location:
India
Summary
A China-linked state-sponsored threat actor known as TAG-28 targeted the Unique Identification Authority of India, compromising its Aadhaar biometric database containing fingerprints, retina scans, and photographs of citizens. The attackers likely sought sensitive biometric data to advance artificial intelligence capabilities, enable social engineering or extortion schemes, and gather intelligence, exploiting the system's central role in accessing essential government services. The breach raised concerns over potential identity theft and misuse of immutable biometric identifiers, compounded by historical security vulnerabilities within the Aadhaar infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 4 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In February 2021, China-linked threat actor TAG-28, identified as a state-sponsored group focused on Indian subcontinent intelligence gathering, conducted cyber intrusions against the Unique Identification Authority of India (UIDAI) and media conglomerate Bennett Coleman And Co Ltd (BCCL). The attacks occurred against the backdrop of ongoing geopolitical tensions following the 2020 Galwan Valley border clash between Indian and Chinese troops. TAG-28 targeted UIDAI's Aadhaar system database containing biometric records of approximately 1.2 billion Indian citizens, representing 89% of the country's population. The compromised data included fingerprints, retina scans, facial photographs, and associated 12-digit identity numbers required for accessing government services. Simultaneously, attackers infiltrated BCCL's network infrastructure, exfiltrating approximately 500 MB of data to attacker-controlled servers. BCCL publishes The Times of India, which had extensively covered both the border conflict and previous China-linked cyber operations against Indian infrastructure.
The UIDAI breach potentially provided China with bulk personally identifiable information (PII) for intelligence operations, social engineering campaigns, and artificial intelligence training datasets. Biometric records offer persistent identification capabilities unlike password-based credentials, with potential applications in authentication system compromise, social welfare program manipulation, and individual extortion through service access denial. Historical security concerns regarding Aadhaar included fraudulent duplicate websites and accidental 2018 data exposures through government portals. The BCCL compromise risked exposing journalistic sources, unpublished content regarding China, and internal communications, aligning with documented Chinese cyber operations against media organizations dating to 2008. Neither UIDAI nor BCCL officials provided public statements regarding incident response, mitigation measures, or confirmed data compromise despite multiple requests for comment. The Chinese embassy similarly did not acknowledge or address the attribution findings presented in the Recorded Future report detailing these operations.