Kudankulam Nuclear Power Plant
Kudankulam Nuclear Power Plant

In a significant cybersecurity incident, a ransomware group known as World Leaks has leaked nearly 19,000 files allegedly linked to India’s largest nuclear power plant, the Kudankulam Nuclear Power Plant (KKNPP) in Tamil Nadu. The exposed data, totaling around 14.3 GB and dating from 2016 to mid-2025, includes purported blueprints, supplier details, engineering drawings, inspection records, meeting notes, and insurance policies.

The Kudankulam facility, a joint Indo-Russian project operated by the Nuclear Power Corporation of India Limited (NPCIL), is central to India’s nuclear energy expansion ambitions under Prime Minister Narendra Modi. The plant currently has operational units, with Units 3 and 4 under construction, expected to add 2,000 MW by 2027. The leaked files primarily relate to conventional “Balance of Plant” (BoP) infrastructure for these units, handled by contractor Reliance Infrastructure (part of the Reliance Group led by Anil Ambani).

Details of the Leak

Source: The files were posted on the dark web by World Leaks, which claimed they originated from Reliance Group systems. Independent researcher Rakesh Krishnan first flagged the breach to media outlets.

Content: Documents reviewed by Reuters, authenticity unverified by the outlet include blueprints for ventilation and cooling systems, common control room layouts, vendor lists, equipment proposals, and a 2024 joint inspection record. One notable file references an insurance policy covering potential terrorism-related damage up to $112 million.

Contract Context: Reliance Infrastructure secured the EPC contract for common services in 2018. The breach reportedly stemmed from a “partial” server compromise at a third-party provider (Yotta Data Services) detected in late May 2026.

Experts have raised concerns about potential risks. Nickolas Roth of the Nuclear Threat Initiative described it as posing a “serious” risk, noting that such data could help adversaries map support systems, identify suppliers, and pinpoint vulnerabilities, even if core nuclear reactor systems supplied by Russia’s Rosatom appear unaffected.

This is not the first cyber incident at Kudankulam; in 2019, malware linked to a North Korean group was detected on the plant’s administrative network, though NPCIL stated operational systems were unharmed.

Official Response and Statements

Indian authorities, including CERT-In (the national cybersecurity agency), have launched investigations. Reliance confirmed a partial breach and notified the government. Yotta Data Services reported terminating suspicious activity promptly.

NPCIL Official Statement

“With reference to reports circulating in the media regarding the Kudankulam Nuclear Power Project (KKNPP) Units 3 and 4, it is clarified that the Engineering, Procurement and Construction (EPC) contract for the Common Services–Balance of Plant (BoP) package was awarded to M/s Reliance Infrastructure Ltd. in 2018 through a public tender process.

As part of the public tendering process, NPCIL provided indicative drawings and technical specifications to the bidders. Based on these inputs and the requirements of the project, the EPC contractor… prepared detailed engineering drawings… The designs proposed… were accepted by NPCIL after review.

NPCIL reiterates that the information claimed to be available in the public domain pertains only to conventional Balance of Plant (BoP) common service facilities and does not relate to any nuclear safety- or nuclear security-related systems or information.”

NPCIL emphasized that the leaked materials concern non-nuclear infrastructure similar to that in thermal power plants and do not impact reactor safety or security systems. Operations at the plant continue normally.

The incident highlights growing cybersecurity challenges in India’s critical infrastructure sector. India ranks high globally in data breaches, and many organizations reportedly lack robust cyber hygiene practices. As the country expands its nuclear capacity, securing supply chains and contractor data will be paramount.

Investigations are ongoing, and further details may emerge as CERT-In and other agencies probe the matter. No evidence has surfaced of immediate threats to plant operations or public safety.