Nuclear Power Plant
Nuclear Power Plantians

In a significant incident that has sent ripples through India's national security and nuclear establishment, the ransomware and data-extortion group World Leaks has publicly released nearly 19,000 sensitive files linked to the Kudankulam Nuclear Power Plant (KNPP), India's largest operational atomic energy facility. The leaked documents, which surfaced on the dark web and were detailed in an exclusive Reuters investigation published on July 15, 2026, originate from a contractor involved in the plant's ongoing expansion and have raised serious questions about supply-chain vulnerabilities in critical infrastructure.

The breach centers on data allegedly stolen from Reliance Infrastructure, part of the Anil Ambani-led Reliance Group. It forms a subset of a much larger cache of approximately 858,000 files that World Leaks posted online. While there is no indication that core nuclear reactor operations were compromised, nuclear security experts warn that the exposed information could still provide adversaries with valuable insights for future targeting.

Comprehensive Details of the Breach and Exposed Materials

The incident traces back to suspicious activity detected on a Reliance Infrastructure server hosted by the Indian data center provider Yotta on May 29, 2026. Yotta stated that it promptly terminated the activity and prevented what it believed was an attempted ransomware execution. At the end of June, Reliance notified Yotta of external claims that a data breach had occurred. The provider has since provided its full technical findings to Reliance and is actively supporting the government investigation.

Reliance Infrastructure confirmed a "partial breach" and informed the government. The company has not publicly detailed the exact scope of the compromised data. The leaked Kudankulam-related files, spanning 2016 to mid-2025, primarily pertain to Units 3 and 4, which remain under construction and are scheduled to begin commercial operations by 2027. Reuters reviewed samples but could not independently authenticate every document. The 19,000 plant-specific files represent the most sensitive portion of the overall Reliance cache.

Specific verified categories of leaked information include engineering blueprints and technical drawings for ventilation and cooling systems serving Units 3 and 4.

Detailed floor layouts of a common control room.

Equipment inspection reports, vendor proposals, and comprehensive lists of approved suppliers.
Records and photographs from a 2024 joint inspection conducted by NPCIL and Reliance teams.
Insurance policies, notably one providing up to $112 million in coverage if either Unit 3 or Unit 4 were impacted by an act of terrorism.

Additional project documentation such as running account (RA) invoices, DWG and PDF drawings, P&IDs, general arrangement (GA) drawings, quality assurance plans (QAPs), CRS sheets, and official transmittals to NPCIL.

The materials do not encompass the nuclear reactors' core systems or safety-critical instrumentation, which are supplied and controlled by Russia's state-owned Rosatom. No evidence has surfaced of direct compromise to the plant's operational technology networks or active power-generating units.

The alleged data leak concerning Kudankulam's Units 3 and 4 does not involve any nuclear-related information, clarified the Nuclear Power Corporation of India (NPCIL) later.

Reliance Infrastructure's Contractual Role

Reliance Infrastructure secured its involvement in April 2018 through a competitive bidding process. It won an Engineering, Procurement, and Construction (EPC) contract valued at approximately β‚Ή1,081 crore (around $165 million at the time) from NPCIL. The scope covers the Common Services System, Structure & Components (SSC) package along with allied civil works for Units 3 and 4. Responsibilities include complete design, engineering, supply, erection, testing, and commissioning. The contract included an imported component valued at roughly $23.2 million and was executed against competition from major players such as BHEL, L&T, Tata Projects, and BGR Energy. The original project timeline targeted commissioning within 56 months.

Expert Assessment and Broader Risks

Nuclear security professionals have voiced measured but firm concern. Nickolas Roth of the Nuclear Threat Initiative described the breach as potentially posing a "serious risk" to plant safety. He explained that the files could reveal not only personnel and supplier access but also the specific systems those parties can reach, enabling adversaries to identify weak points in the broader ecosystem.

While the immediate threat to reactor operations appears contained, analysts note that detailed blueprints of support systems, supplier maps, and project logistics could facilitate supply-chain attacks, physical sabotage planning, or more targeted cyber operations in the future. This risk is amplified by India's challenging cybersecurity environment: the country recorded 28.9 million compromised accounts in the preceding year, third-highest globally according to Surfshark. A joint Data Security Council of India–Seqrite survey of 204 organizations found that 73% were unaware of any prior attacks against them, and 57% lacked basic cyber hygiene practices.

Precedent: The 2019 Kudankulam Malware Incident

The current event echoes a previous cybersecurity challenge at the same site. In September 2019, DTrack malware associated with North Korea's Lazarus Group (APT38) was discovered on an internet-connected administrative computer. Investigations later suggested the intrusion may have persisted undetected for more than six months. NPCIL publicly acknowledged the incident on October 30, 2019, clarifying that only a non-critical administrative system was affected and that essential control systems for the reactors remained untouched. The response involved specialists from the Department of Atomic Energy and CERT-In.

Official Response and Plant Context

As of July 15, 2026, India's CERT-In is leading the investigation in coordination with NPCIL. NPCIL has maintained direct communication with Reliance. No detailed public briefings have been issued by NPCIL Chairman Rajesh Veeraraghavan, the Department of Atomic Energy, or the Prime Minister's Office. World Leaks, which did not respond to media inquiries, has a track record of targeting major corporations, including a notable 2026 breach involving Tata Electronics with links to Apple and Tesla supply chains.

Kudankulam, situated on the Tamil Nadu coastline in Tirunelveli district, houses two operational 1,000 MW VVER-1000 pressurized water reactors (Units 1 and 2) built with Russian collaboration. These units supply electricity to the southern regional grid. The addition of Units 3 and 4 will significantly boost capacity, aligning with India's long-term strategy to expand nuclear power as part of its energy security and clean energy transition goals.

In-Depth Analysis and Forward Path

This breach highlights the evolving nature of threats to critical infrastructure, where third-party contractors and data-center providers increasingly represent potential weak links. Although the exposed files focus on non-core support systems, the aggregation of technical drawings, supplier details, and project metadata creates a potentially valuable intelligence package for state or non-state actors. In an era of heightened geopolitical tensions, such incidents demand not only reactive investigation but proactive, systemic strengthening.

Immediate recommended actions include:
A thorough, independent forensic audit of all impacted systems and networks.
Detailed vulnerability assessments targeting ventilation, cooling, control room, and supply-chain elements.

  • Immediate containment steps such as credential rotation, enhanced monitoring, and network segmentation.
  • Coordinated information sharing among NPCIL, CERT-In, Reliance, Yotta, and relevant international partners.
  • Longer-term measures for strategic sectors (nuclear, defense, energy, telecommunications, and space) should encompass:
  • Mandatory, enforceable cybersecurity standards for all contractors and subcontractors, backed by regular third-party audits and "right-to-audit" contract clauses.
  • Widespread adoption of zero-trust architectures, with rigorous separation between administrative/IT networks and operational technology (OT) systems.
  • Development of a robust national critical infrastructure cybersecurity framework featuring mandatory 24-hour incident reporting, periodic red-teaming, and supply-chain risk mapping.
  • Substantial investment in indigenous R&D, talent development, and deployment of advanced AI-driven threat detection tools.
  • Strengthening public-private partnerships and selective international collaboration β€” particularly on nuclear cybersecurity norms β€” while preserving sovereign control.
  • Regular updates to cyber insurance policies and comprehensive business continuity/disaster recovery plans tailored to high-consequence environments.

As India pursues ambitious nuclear expansion under initiatives aimed at long-term energy independence, the Kudankulam breach serves as a timely reminder that technological progress must be matched by equally sophisticated security measures. Further verified details are expected to emerge as the CERT-In and NPCIL investigation progresses. No operational disruptions at the Kudankulam plant have been reported.

[Major General Dr. Dilawar Singh, IAV, is a distinguished strategist having held senior positions in technology, defence, and corporate governance. He serves on global boards and advises on leadership, emerging technologies, and strategic affairs, with a focus on aligning India's interests in the evolving global technological order.]