China-Linked Group TAG-28

The police department of India recently discovered that an Indian media conglomerate, Bennett Coleman And Co Ltd, (BCCL), and the Unique Identification Authority of India (UIDAI) database have been hacked probably by a Chinese hacking group. 

They were given a temporary name TAG-28 and it was also detected that the threat actors of this group have used the Winnti malware, exclusively shared among those Chines groups.

However, Chines authorities have denied any of these accusations and announced that China itself is a major target of a cyberattack. It was being observed, that the cyberattacks, could be related to border tensions.

Malware and Infrastructure

The Insikt group identified two Winnti C2 and a cobalt strike C2 which were operated by the threat actors of TAG-28. Historically, there are various Chines states sponsored group that has used Winnti malware connected with the activities that are loosely linked up to private contractors and China’s ministry of states security (MSS).

The US department of justice charged 5 Chines nationals who had accessed Winnt malware. Apparently, they were conducting widespread intrusion operations that targeted over 100 victims all over the world.

Key Judgments

  • The main target of the TAG-28 was UIDAI because of its ownership of the Adhar database.
  • The TAG-28 group is targetting BCCL and is motivated towards excess to their journalists.
  • There is very little possibility that TAG-28 would gain access to media entities, to interface with their publishing platforms.
  • The data shows, an increase of 261% in the number states Sponsered Chines group, that is targetting Indian organizations.

Media Focus

The BCCL computers provide everything from journalist’s notes, and many sources to an article that has not been published yet. The Times of India extensively reported about the RedEcho and RedFoxtrot cyberattacks that have robbed India since last year.

The two hacking groups are thought to be linked to China and targetted government sectors and their entities. However, last month Beijing linked hackers launched an online influence operation that claimed that BBC was using gloom filter to make images that are coming out of China seem dull.

Biometrics jackpot

UIDAI had the intrusion that China could be offered intelligence and training data for its artificial intelligence machine by the agency of India’s Adhar system.

The Indian government assigns a unique 12 digit identity number to all the citizens of India which helped them to receive basic government services. The Adhar Card requires fingerprints, retina scans, and photographs of the individuals.


However, the experts have suggested some mitigation, that will surely help the victim to bypass such attacks, and that’s why here we have mentioned them below:-

  • Initially configure your intrusion detection system and any other network which is used as a defense mechanism.
  • Recorded future hunting packages can be used to hunt and detect malware families.
  • Proactively detect and log server configurations in the command and control security feed.
  • The real-time output can be monitored from NTA and malware analysis to identify targetted intrusion activities involved in the organization.

Insikt is trying its best to accomplish all the possible methods that will help the victims to come out of such a situation. But, it is also very important to follow the mitigation as mentioned above, and therefore it will surely help them to circumvent these kinds of attacks.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.