Aadhaar biometrics allegedly targeted by Chinese state-sponsored hacker group
TAG-28, a hacker group thought to be supported by the Chinese government, has been attacking the Unique Identification Authority of India (UIDAI), among several targets in the country, likely in an attempt to access the database of biometrics and Aadhaar digital identity information it operates, according to a new report.
The Insikt Group and Recorded Future report found that a pair of IPs registered to UIDAI appeared to be communicating with the same Cobalt Strike C2 server that targeted Bennett Coleman and Company Ltd. (BCCL), also known as ‘The Times Group,’ between June 10 and July 20, 2021. Less than 10 MB of data was exfiltrated from the UIDAI network, and there is no evidence that biometric data was stolen, though 30 MB of “ingress” may indicate that malware was left behind.
Cobalt Strike is a commercial network defense tool that can be repurposed by hackers, and the TAG-28 group also allegedly used a well-known malware called Winnti to carry out attacks, according to the report.
The Aadhaar database contains biometric data from more than 1 billion Indians. As Recorded Future’s The Record points out, the motivation for hacking the Aadhaar database could include gathering data to train biometric algorithms, or to identify high-value targets like government officials for further attacks.
Then there is the possibility of more sophisticated attacks using the data.
“There is huge potential for logging into people’s accounts by using biometrics,” Tufts University Associate Professor of Cybersecurity Policy Josephine Wolff told The Record. “Just think of it — if you are trying to log onto a protected system you would have a good shot of biometrics being part of that log in. Or if you wanted to know which services people are using, iris scans would be really valuable. It would give them access to social welfare programs, so they could extort people by threatening to block access to food or health care.”
The UIDAI told Bloomberg that it is unaware of a breach, and that its biometric database in encrypted, with access secured by multi-factor authentication.