Thousands of files allegedly connected to India’s Kudankulam nuclear
plant have appeared online after contractor Reliance confirmed a partial data
breach involving a third-party server.
BENGALURU, INDIA.— A
ransomware group has published a large collection of documents allegedly linked
to the Kudankulam Nuclear Power Plant, raising questions about contractor
cybersecurity, sensitive infrastructure records and the protection of India’s
expanding nuclear energy program. Reliance Group acknowledged a partial breach
involving data stored on a server hosted by Indian data center provider Yotta
and said the government had been informed.
Reuters reported that the group known as World Leaks posted files it
identified as Reliance data, including purported engineering drawings, supplier
information, inspection material and other project records. Reuters reviewed
the documents but said it could not independently authenticate them.
The available reporting does not establish that Kudankulam’s operational reactor systems were penetrated, disrupted or placed under outside control. The documents examined did not appear to concern the reactors’ core systems, which are supplied by Russia’s state-owned nuclear company Rosatom.
Reliance and Yotta confirm parts of the cybersecurity incident
Reliance Group said the incident involved a partial breach of company
information held on infrastructure operated by Yotta. The company did not
publicly identify the specific records affected or confirm that every document
posted by World Leaks was authentic.
Yotta provided a more detailed timeline. The data center company said
suspicious activity was detected on May 29 on a server belonging to Reliance
Infrastructure. According to its account, the activity was stopped and an
attempted ransomware execution was prevented.
Yotta said Reliance Infrastructure later informed it, near the end of
June, that external actors were claiming to possess company data. The provider
said it had not verified those claims but had supplied its technical findings
to Reliance and was supporting the investigation.
The differing elements of the two statements leave several important
questions unanswered. It remains unclear when information may have been removed
from the server, how long unauthorized access may have continued and whether
the alleged data theft occurred during the activity detected in May or through
another route.
Reliance Infrastructure has worked on facilities connected with Units 3
and 4 at Kudankulam. The company received a contract in 2018 involving the
design and construction of infrastructure for the two units, which remain under
development.
The incident therefore places attention not only on the plant operator
but also on the broader network of contractors, engineering companies,
technology providers and data-hosting services that manage information
associated with major infrastructure projects.
What the documents allegedly reveal about Kudankulam
World Leaks made available what researchers described as nearly 19,000
potentially sensitive files related to Kudankulam. Those records appeared
within a much larger collection of approximately 858,000 files attributed to
Reliance.
The Kudankulam-related material reportedly dated from 2016 through the
middle of 2025. It appeared to include engineering documents, equipment
assessments, meeting records, inspection information, vendor material and
insurance policies.
Among the documents examined were purported drawings involving
ventilation and cooling infrastructure for Units 3 and 4. The collection also
appeared to contain a complete floor arrangement for a shared control-room
facility.
Other files appeared to identify approved suppliers and included vendor
proposals. One record reportedly concerned a 2024 inspection involving Reliance
and the Nuclear Power Corporation of India Limited, or NPCIL, accompanied by
equipment photographs.
The collection also contained an apparent insurance document involving
Reliance Infrastructure and NPCIL. Reuters reported that the policy described
coverage equivalent to $112 million if Unit 3 or Unit 4 experienced an act of
terrorism. The authenticity and current status of the document have not been
independently confirmed.
Publishing supplier identities and project records can create risks even
when the information does not provide direct access to operational technology.
Such material may help an adversary understand how a large project is
organized, which contractors perform particular functions and where sensitive
information is stored or exchanged.
The central unresolved issue is whether the online collection accurately
reflects current plant infrastructure. Some documents may be outdated,
incomplete, superseded or unrelated to active systems. A detailed technical
review would be needed before their operational significance could be assessed.
Why support-system information can still carry security value
The reported absence of reactor-core documentation is an important distinction.
Nuclear facilities generally separate critical operational systems from
administrative and business networks so that a compromise in one area does not
automatically provide access to another.
However, information security specialists often assess exposure
according to how multiple pieces of data can be combined. Building layouts,
contractor directories, equipment records and supplier relationships may offer
context that is not available from a single document.
Nickolas Roth, a senior director at the Nuclear Threat Initiative,
warned that the reported exposure could create a serious security concern. He
said project information could help reveal which organizations have access and
the systems connected to that access.
That warning does not mean a physical threat has been demonstrated. No
public evidence cited in the reporting shows that anyone used the documents to
enter the facility, interfere with construction or affect nuclear operations.
The concern is instead that detailed project information may increase an
adversary’s ability to study people, processes and infrastructure.
The incident also illustrates the challenge of securing data throughout
a long supply chain. A nuclear operator may apply strict controls inside a
plant while contractors retain engineering files, meeting records or project
documents on external business systems.
Security reviews are therefore likely to focus on who could access the
affected server, whether sensitive project information was properly classified
and whether contractors followed required standards for storage, encryption,
retention and monitoring.
Investigators may also examine whether passwords, identity records,
remote-access details or other credentials appeared in the leaked material. No
confirmed public information has established that such data were included.
Kudankulam’s expansion increases the public importance of the review
Kudankulam, located in Tamil Nadu, is India’s largest nuclear power site
and an important part of the country’s plans to increase atomic electricity
generation. The existing project includes operational units as well as
additional reactors under construction.
Units 3 and 4 are expected to add a combined 2,000 megawatts of
generating capacity. Reuters reported that the two units are scheduled to
become operational by 2027.
The scale of the project means that questions about cybersecurity extend
beyond a single company. Construction involves technical information moving
among the plant operator, government organizations, engineering contractors,
equipment manufacturers, inspectors, insurers and service providers.
Large projects can accumulate years of documentation across different
systems. Even when files are not connected directly to reactor operations,
their exposure may create financial, commercial, security or project-management
risks.
Kudankulam also has strategic importance because nuclear power forms
part of India’s effort to expand electricity generation while reducing
dependence on high-emission energy sources. The plant’s development has
involved long-term cooperation with Russia, whose state nuclear industry
supplies the project’s VVER reactor technology.
A transparent assessment of the breach could therefore help establish
whether existing cybersecurity requirements extend consistently across all
organizations handling sensitive nuclear-project information.
The immediate public-interest question is not whether every exposed
document is dangerous. It is whether the responsible organizations can identify
which information is authentic, determine its security value and reduce any
risk created by its release.
Timeline from the May server alert to the July disclosure
The known timeline begins on May 29, when Yotta said it detected
suspicious activity involving a Reliance Infrastructure server. The company
reported that it stopped the activity and prevented suspected ransomware from
executing.
Near the end of June, Reliance Infrastructure informed Yotta that
outside actors had made claims about a data breach. Yotta said it investigated
but had not independently verified the threat actor’s assertions.
By July 15, World Leaks had published a large archive attributed to
Reliance, including the group of documents allegedly associated with
Kudankulam. Reliance confirmed that a partial breach had occurred and said
authorities had been notified.
According to Reuters, NPCIL had been communicating with Reliance and the
Indian Computer Emergency Response Team, known as CERT-In, was examining the
incident. The information came from a person familiar with the matter who was
not publicly identified because of the issue’s sensitivity.
NPCIL’s chairman, CERT-In and the Indian government’s main press office
had not provided responses to Reuters at the time of publication. The
Department of Atomic Energy declined to comment.
Those official gaps mean the public record remains incomplete.
Authorities have not yet released a detailed assessment of the affected
systems, the authenticity of the posted records or any protective measures
taken after the disclosure.
How Kudankulam’s 2019 malware case shapes the latest concerns
The new breach report is not the first cybersecurity issue associated
with Kudankulam. In 2019, malware linked by researchers to a North Korean
hacking group was detected on an administrative network connected with the
plant.
NPCIL said at the time that the affected computer belonged to an
internet-connected administrative network and that the plant’s critical
internal systems were not affected.
The two incidents are not known to be connected. The 2019 event involved
malware found within an administrative environment, while the latest case
concerns data attributed to a contractor and hosted by an external provider.
However, both cases highlight the importance of protecting information
outside the most sensitive operational networks. Administrative systems can
contain employee information, procurement records, internal communications and
project details that may be valuable to intelligence collectors or criminal
groups.
The latest disclosure also comes amid broader concern about
cybersecurity readiness across India. Reuters cited Surfshark data indicating
that approximately 28.9 million Indian accounts were affected by reported data
breaches in 2025.
A study involving the Data Security Council of India and cybersecurity
company Seqrite found that many surveyed organizations lacked visibility into
whether they had been attacked and that a substantial share did not follow
basic cyber-hygiene practices.
Those national statistics do not establish the cause of the Reliance
incident. They provide broader context for the challenge facing organizations
that manage sensitive information across increasingly complex digital supply
chains.
What investigators and nuclear contractors must clarify next
The most important next step is a verified inventory of the exposed
information. Reliance, NPCIL and relevant government agencies will need to
determine which documents are authentic, whether they remain operationally
current and how they were accessed.
Investigators are also likely to examine whether the incident involved
only a contractor’s business network or whether other connected environments
require review. No publicly available evidence currently shows that
Kudankulam’s reactor-control systems were compromised.
Additional scrutiny may focus on the responsibilities shared by Reliance
and Yotta. Yotta said it stopped suspicious activity and prevented ransomware
execution, while Reliance confirmed a partial data breach. Establishing how
both statements fit together will be important to understanding the incident.
Authorities may also consider whether project files should have been
stored differently, whether access permissions were too broad and whether older
records should have been removed from active systems.
For the nuclear sector, the wider lesson is that security depends on
more than protecting reactor technology. Contractors, cloud and data-center
providers, engineering partners and suppliers can become part of the
information-security boundary when they handle detailed project records.
The investigation has not yet established that the leak affected plant
safety or operations. Its significance will depend on the authenticity, sensitivity
and continuing relevance of the exposed information, as well as the steps taken
to reduce any resulting risk.
Further official findings from CERT-In, NPCIL, Reliance or India’s
Department of Atomic Energy will be central to determining the breach’s full
scope and whether additional security measures are required.
By CRNTimes Editorial Team | CRNTimes.com | Bengaluru | July 15, 2026
