Kudankulam nuclear plant files exposed after Reliance confirms data breach

Thousands of files allegedly connected to India’s Kudankulam nuclear plant have appeared online after contractor Reliance confirmed a partial data breach involving a third-party server.

 

Coastal view of the Kudankulam Nuclear Power Plant in Tamil Nadu amid an investigation into a contractor data breach.

BENGALURU, INDIA.— A ransomware group has published a large collection of documents allegedly linked to the Kudankulam Nuclear Power Plant, raising questions about contractor cybersecurity, sensitive infrastructure records and the protection of India’s expanding nuclear energy program. Reliance Group acknowledged a partial breach involving data stored on a server hosted by Indian data center provider Yotta and said the government had been informed.

Reuters reported that the group known as World Leaks posted files it identified as Reliance data, including purported engineering drawings, supplier information, inspection material and other project records. Reuters reviewed the documents but said it could not independently authenticate them.

The available reporting does not establish that Kudankulam’s operational reactor systems were penetrated, disrupted or placed under outside control. The documents examined did not appear to concern the reactors’ core systems, which are supplied by Russia’s state-owned nuclear company Rosatom.

Reliance and Yotta confirm parts of the cybersecurity incident

Reliance Group said the incident involved a partial breach of company information held on infrastructure operated by Yotta. The company did not publicly identify the specific records affected or confirm that every document posted by World Leaks was authentic.

Yotta provided a more detailed timeline. The data center company said suspicious activity was detected on May 29 on a server belonging to Reliance Infrastructure. According to its account, the activity was stopped and an attempted ransomware execution was prevented.

Yotta said Reliance Infrastructure later informed it, near the end of June, that external actors were claiming to possess company data. The provider said it had not verified those claims but had supplied its technical findings to Reliance and was supporting the investigation.

The differing elements of the two statements leave several important questions unanswered. It remains unclear when information may have been removed from the server, how long unauthorized access may have continued and whether the alleged data theft occurred during the activity detected in May or through another route.

Reliance Infrastructure has worked on facilities connected with Units 3 and 4 at Kudankulam. The company received a contract in 2018 involving the design and construction of infrastructure for the two units, which remain under development.

The incident therefore places attention not only on the plant operator but also on the broader network of contractors, engineering companies, technology providers and data-hosting services that manage information associated with major infrastructure projects.

What the documents allegedly reveal about Kudankulam

World Leaks made available what researchers described as nearly 19,000 potentially sensitive files related to Kudankulam. Those records appeared within a much larger collection of approximately 858,000 files attributed to Reliance.

The Kudankulam-related material reportedly dated from 2016 through the middle of 2025. It appeared to include engineering documents, equipment assessments, meeting records, inspection information, vendor material and insurance policies.

Among the documents examined were purported drawings involving ventilation and cooling infrastructure for Units 3 and 4. The collection also appeared to contain a complete floor arrangement for a shared control-room facility.

Other files appeared to identify approved suppliers and included vendor proposals. One record reportedly concerned a 2024 inspection involving Reliance and the Nuclear Power Corporation of India Limited, or NPCIL, accompanied by equipment photographs.

The collection also contained an apparent insurance document involving Reliance Infrastructure and NPCIL. Reuters reported that the policy described coverage equivalent to $112 million if Unit 3 or Unit 4 experienced an act of terrorism. The authenticity and current status of the document have not been independently confirmed.

Publishing supplier identities and project records can create risks even when the information does not provide direct access to operational technology. Such material may help an adversary understand how a large project is organized, which contractors perform particular functions and where sensitive information is stored or exchanged.

The central unresolved issue is whether the online collection accurately reflects current plant infrastructure. Some documents may be outdated, incomplete, superseded or unrelated to active systems. A detailed technical review would be needed before their operational significance could be assessed.

Why support-system information can still carry security value

The reported absence of reactor-core documentation is an important distinction. Nuclear facilities generally separate critical operational systems from administrative and business networks so that a compromise in one area does not automatically provide access to another.

However, information security specialists often assess exposure according to how multiple pieces of data can be combined. Building layouts, contractor directories, equipment records and supplier relationships may offer context that is not available from a single document.

Nickolas Roth, a senior director at the Nuclear Threat Initiative, warned that the reported exposure could create a serious security concern. He said project information could help reveal which organizations have access and the systems connected to that access.

That warning does not mean a physical threat has been demonstrated. No public evidence cited in the reporting shows that anyone used the documents to enter the facility, interfere with construction or affect nuclear operations. The concern is instead that detailed project information may increase an adversary’s ability to study people, processes and infrastructure.

The incident also illustrates the challenge of securing data throughout a long supply chain. A nuclear operator may apply strict controls inside a plant while contractors retain engineering files, meeting records or project documents on external business systems.

Security reviews are therefore likely to focus on who could access the affected server, whether sensitive project information was properly classified and whether contractors followed required standards for storage, encryption, retention and monitoring.

Investigators may also examine whether passwords, identity records, remote-access details or other credentials appeared in the leaked material. No confirmed public information has established that such data were included.

Kudankulam’s expansion increases the public importance of the review

Kudankulam, located in Tamil Nadu, is India’s largest nuclear power site and an important part of the country’s plans to increase atomic electricity generation. The existing project includes operational units as well as additional reactors under construction.

Units 3 and 4 are expected to add a combined 2,000 megawatts of generating capacity. Reuters reported that the two units are scheduled to become operational by 2027.

The scale of the project means that questions about cybersecurity extend beyond a single company. Construction involves technical information moving among the plant operator, government organizations, engineering contractors, equipment manufacturers, inspectors, insurers and service providers.

Large projects can accumulate years of documentation across different systems. Even when files are not connected directly to reactor operations, their exposure may create financial, commercial, security or project-management risks.

Kudankulam also has strategic importance because nuclear power forms part of India’s effort to expand electricity generation while reducing dependence on high-emission energy sources. The plant’s development has involved long-term cooperation with Russia, whose state nuclear industry supplies the project’s VVER reactor technology.

A transparent assessment of the breach could therefore help establish whether existing cybersecurity requirements extend consistently across all organizations handling sensitive nuclear-project information.

The immediate public-interest question is not whether every exposed document is dangerous. It is whether the responsible organizations can identify which information is authentic, determine its security value and reduce any risk created by its release.

Timeline from the May server alert to the July disclosure

The known timeline begins on May 29, when Yotta said it detected suspicious activity involving a Reliance Infrastructure server. The company reported that it stopped the activity and prevented suspected ransomware from executing.

Near the end of June, Reliance Infrastructure informed Yotta that outside actors had made claims about a data breach. Yotta said it investigated but had not independently verified the threat actor’s assertions.

By July 15, World Leaks had published a large archive attributed to Reliance, including the group of documents allegedly associated with Kudankulam. Reliance confirmed that a partial breach had occurred and said authorities had been notified.

According to Reuters, NPCIL had been communicating with Reliance and the Indian Computer Emergency Response Team, known as CERT-In, was examining the incident. The information came from a person familiar with the matter who was not publicly identified because of the issue’s sensitivity.

NPCIL’s chairman, CERT-In and the Indian government’s main press office had not provided responses to Reuters at the time of publication. The Department of Atomic Energy declined to comment.

Those official gaps mean the public record remains incomplete. Authorities have not yet released a detailed assessment of the affected systems, the authenticity of the posted records or any protective measures taken after the disclosure.

How Kudankulam’s 2019 malware case shapes the latest concerns

The new breach report is not the first cybersecurity issue associated with Kudankulam. In 2019, malware linked by researchers to a North Korean hacking group was detected on an administrative network connected with the plant.

NPCIL said at the time that the affected computer belonged to an internet-connected administrative network and that the plant’s critical internal systems were not affected.

The two incidents are not known to be connected. The 2019 event involved malware found within an administrative environment, while the latest case concerns data attributed to a contractor and hosted by an external provider.

However, both cases highlight the importance of protecting information outside the most sensitive operational networks. Administrative systems can contain employee information, procurement records, internal communications and project details that may be valuable to intelligence collectors or criminal groups.

The latest disclosure also comes amid broader concern about cybersecurity readiness across India. Reuters cited Surfshark data indicating that approximately 28.9 million Indian accounts were affected by reported data breaches in 2025.

A study involving the Data Security Council of India and cybersecurity company Seqrite found that many surveyed organizations lacked visibility into whether they had been attacked and that a substantial share did not follow basic cyber-hygiene practices.

Those national statistics do not establish the cause of the Reliance incident. They provide broader context for the challenge facing organizations that manage sensitive information across increasingly complex digital supply chains.

What investigators and nuclear contractors must clarify next

The most important next step is a verified inventory of the exposed information. Reliance, NPCIL and relevant government agencies will need to determine which documents are authentic, whether they remain operationally current and how they were accessed.

Investigators are also likely to examine whether the incident involved only a contractor’s business network or whether other connected environments require review. No publicly available evidence currently shows that Kudankulam’s reactor-control systems were compromised.

Additional scrutiny may focus on the responsibilities shared by Reliance and Yotta. Yotta said it stopped suspicious activity and prevented ransomware execution, while Reliance confirmed a partial data breach. Establishing how both statements fit together will be important to understanding the incident.

Authorities may also consider whether project files should have been stored differently, whether access permissions were too broad and whether older records should have been removed from active systems.

For the nuclear sector, the wider lesson is that security depends on more than protecting reactor technology. Contractors, cloud and data-center providers, engineering partners and suppliers can become part of the information-security boundary when they handle detailed project records.

The investigation has not yet established that the leak affected plant safety or operations. Its significance will depend on the authenticity, sensitivity and continuing relevance of the exposed information, as well as the steps taken to reduce any resulting risk.

Further official findings from CERT-In, NPCIL, Reliance or India’s Department of Atomic Energy will be central to determining the breach’s full scope and whether additional security measures are required.

 

By CRNTimes Editorial Team | CRNTimes.com | Bengaluru | July 15, 2026

Publicar un comentario

Artículo Anterior Artículo Siguiente

نموذج الاتصال