India's largest nuclear power facility has fallen victim to a significant data breach that has exposed sensitive operational and structural information to criminal elements online. The Kudankulam Nuclear Power Plant in Tamil Nadu, which sits at the centre of Prime Minister Narendra Modi's strategy to substantially expand the nation's atomic energy capacity, has become the target of World Leaks, a notorious ransomware group known for striking major multinational corporations. The group has deposited approximately 19,000 files on the dark web, claiming to have obtained them from Reliance Group, a major contractor involved in the plant's expansion project.
Reliance Group, the conglomerate of billionaire Anil Ambani, acknowledged the incident through a formal statement to media outlets, describing it as a "partial breach" of information stored on servers maintained by Yotta, a third-party data centre operator based in India. The company indicated that government authorities have been notified of the incident, though it conspicuously refrained from detailing precisely what categories of information had been compromised. This deliberate opacity has raised eyebrows among cybersecurity specialists and observers monitoring the situation, as transparency regarding breach scope is typically crucial for understanding the full scale of potential vulnerabilities.
The timing and nature of the breach are particularly troubling given the strategic importance of Kudankulam to India's energy infrastructure and its significance for the broader Asian region. Experts from the Nuclear Threat Initiative, an international organisation that works with governments on atomic security matters, have characterised the breach as posing "serious" threats to the facility's operational safety. The incident underscores a troubling pattern across Indian industry, where many enterprises remain dangerously underprepared to detect, contain, and respond to sophisticated cyber threats. This vulnerability is especially alarming when applied to critical infrastructure sectors where failure could have catastrophic consequences extending beyond corporate balance sheets.
While Reuters journalists examined the posted documents, which span from 2016 through mid-2025, they could not independently authenticate whether the files represent genuine materials or fabrications designed to appear credible. The collection reportedly encompasses blueprint documentation, supplier contact information, meeting transcripts, inspection records, equipment evaluations, and insurance documentation. Reliance Infrastructure, a subsidiary of the larger conglomerate, secured a contract in 2018 to oversee the design and construction of supporting infrastructure for Units 3 and 4 at the facility. These two reactors, currently under development, are scheduled to commence operations by 2027 and will collectively generate 2,000 megawatts of electrical capacity, representing a substantial contribution to India's renewable energy transition goals.
World Leaks, which has previously targeted sports equipment manufacturer Nike and India's Tata Group, operates according to a familiar extortion playbook. The group pilfers confidential corporate information and publishes it to a dark web portal accessible only through specialised browsers, typically after corporate victims refuse to pay demanded ransoms. In June alone, the same group publicised files stolen from Tata Group that allegedly contained classified component designs belonging to Apple and Tesla, claiming that Tata had ignored a $1.5 million ransom demand. The organisation did not respond to inquiries regarding its operations against Reliance or its potential objectives.
Investigation into the breach began after suspicious activity was detected on May 29 on a Reliance Infrastructure server hosted by Yotta. The data centre provider indicated that it immediately terminated the suspicious activity and prevented what appeared to be ransomware execution commands. However, Reliance Infrastructure subsequently informed Yotta at the end of June that external actors had begun making public claims about a successful data theft. Despite these claims, Yotta stated it has been unable to independently verify that information was actually stolen, though it has furnished detailed technical investigation findings to Reliance Infrastructure and is collaborating in the ongoing investigation process.
The Nuclear Power Corporation of India, which maintains operational oversight of the country's atomic facilities, has been engaged in discussions with Reliance regarding the incident. Simultaneously, CERT-In, India's principal cybersecurity emergency response agency, has undertaken its own examination of the breach. Government officials, including the nuclear regulator, declined to comment publicly on the investigation or its preliminary findings, citing operational sensitivities. The Department of Atomic Energy similarly refrained from discussing the matter, while the Prime Minister's office provided no response to media inquiries.
Among the materials that researchers could examine, the documents do not appear to encompass the reactor cores themselves, which are supplied by Russia's state-owned Rosatom and represent the most critical and heavily protected components of the facility. However, the breach does appear to include purported technical designs for ventilation and cooling infrastructure planned for Units 3 and 4, along with what appear to be comprehensive floor schematics for a centralised control room where operators manage plant functions. Additional documents show vendor proposals, approved supplier rosters, meeting minutes from 2024 joint inspections between the Nuclear Power Corporation and Reliance, complete with photographic documentation of equipment installations. The files apparently also reference an insurance arrangement between Reliance Infrastructure and the Nuclear Power Corporation establishing a $112 million payout provision in the event that either reactor unit sustained damage from terrorist actions.
Security researchers and analysts have warned that such information, once in the possession of hostile actors, could be weaponised in multiple ways. An adversary armed with access to these materials could potentially map the supporting systems that enable plant operations, identify the companies that supply critical components, and locate potential vulnerabilities within the supply chain and security infrastructure. Experts note that the exposed information could reveal not merely which organisations maintain access to the project, but the specific systems that access extends to, effectively creating a roadmap for potential infiltration attempts. This concern is amplified by the apparent inclusion of supplier details and security arrangements, which could enable sophisticated attackers to develop multi-pronged assault strategies targeting the facility through less secure third-party points of entry.
India's cybersecurity landscape presents a particularly vulnerable target for such attacks. The nation ranks third globally in terms of the quantity of data breaches and compromised accounts, with approximately 28.9 million accounts breached in the most recent reporting year, trailing only the United States and France according to cybersecurity firm Surfshark. A comprehensive report published by India's Data Security Council and cybersecurity specialists from Seqrite revealed that among 204 organisations surveyed across the country, roughly 73 percent remain unaware whether they have experienced cyber attacks, while 57 percent lack fundamental cyber hygiene practices. These statistics suggest that the Kudankulam breach represents not an isolated security failure but rather the visible manifestation of systemic vulnerabilities pervading critical sectors across the nation.
This incident also represents a troubling recurrence for the Kudankulam facility specifically. In 2019, malware attributed to North Korean hacking operations was discovered on the plant's administrative computer network. At that time, the Nuclear Power Corporation asserted that personnel had conducted immediate investigation and that core plant systems remained uncompromised. The latest breach thus suggests that despite that prior incident and the lessons it should have imparted, the facility and its associated contractors have struggled to implement sufficiently robust protective measures to prevent sophisticated intrusion. For regional observers, particularly across Southeast Asia where several nations are either operating or developing nuclear infrastructure, the Kudankulam incident serves as a sobering reminder of the cyber threats confronting atomic facilities and the pressing need for substantially strengthened international cooperation on nuclear cybersecurity standards and information sharing protocols.
