A major cybersecurity incident has compromised sensitive documentation related to India's Kudankulam Nuclear Power Plant, the country's largest atomic facility. The ransomware group World Leaks has made public a substantial collection of files on the dark web, allegedly sourced from Reliance Group, one of the plant's key contractors. The exposed materials purportedly include design blueprints of portions of the facility, supplier information, and operational records spanning from 2016 to mid-2025. The disclosure marks a significant vulnerability in India's nuclear security posture at a facility that forms a cornerstone of Prime Minister Narendra Modi's agenda to substantially increase the nation's atomic energy generating capacity.

Located in Tamil Nadu, the Kudankulam plant occupies a critical role in India's energy infrastructure and strategic plans. The facility's Units 3 and 4, currently under construction and expected to commence operations by 2027, represent an investment in expanding nuclear capacity by 2,000 megawatts combined. Reliance Infrastructure, a subsidiary of the Ambani-controlled Reliance Group, secured a contract in 2018 to design and construct the supporting infrastructure for these two new units. The company confirmed to media outlets that a partial data compromise occurred on servers managed by Yotta, a third-party Indian data centre operator, and that government authorities have been notified of the incident. However, Reliance declined to provide specifics regarding which data categories were compromised.

The breach carries substantial implications for nuclear facility safety, according to security analysts familiar with atomic energy infrastructure. Nickolas Roth, a senior director at the Nuclear Threat Initiative—an organization that advises governments on nuclear security protocols—characterised the exposure as presenting a "serious" threat to plant operations. The incident underscores a broader pattern of escalating cyber attacks targeting Indian corporations, many of which lack adequate defences and response capabilities for sophisticated threats. The timing and scope of this breach illustrate how India's critical infrastructure remains exposed to determined adversaries willing to exploit organisational vulnerabilities.

World Leaks has established itself as a persistent threat to major international corporations. The group previously targeted multinational athletics manufacturer Nike and India's prestigious Tata Group, employing a standard modus operandi: stealing corporate data and demanding ransom payments, then publishing stolen information when companies refuse to comply. In June, World Leaks claimed to have obtained confidential design specifications from Tata Group clients Apple and Tesla, demanding USD 1.5 million before releasing the materials. The group's operational pattern suggests that Reliance may face similar pressure and that the published materials represent only the most sensitive subset of compromised data—approximately 19,000 files from a total cache of 858,000 Reliance documents stored on the World Leaks website.

The technical details of the breach timeline emerged through statements from Yotta. The data centre operator detected suspicious activity on May 29 on a Reliance Infrastructure server, immediately terminating the connection and preventing what appeared to be ransomware execution. However, Reliance Infrastructure subsequently informed Yotta at the end of June that external actors had publicly claimed responsibility for a data breach. Yotta stated it cannot independently verify the attackers' claims but has conducted detailed technical investigations and shared findings with Reliance Infrastructure to support ongoing inquiries. India's National Computer Emergency Response Team, or CERT-In, is investigating the incident in coordination with the Nuclear Power Corporation of India, which commissions and operates the country's seven nuclear facilities.

The specific content of exposed materials poses measured but real security concerns for the facility's operations. The documents appear not to encompass blueprints of the reactor core systems themselves—those critical components are supplied by Russia's state-owned Rosatom—but do reportedly include designs for auxiliary systems including ventilation and cooling infrastructure for Units 3 and 4. Additionally, purported floor plans of a common control room, vendor proposals, supplier approval lists, and records of joint inspections between the Nuclear Power Corporation and Reliance have been published. The materials also apparently contain an insurance policy document indicating that Reliance Infrastructure and the Nuclear Power Corporation hold USD 112 million coverage against terrorism-related damage to either unit.

For security researchers and nuclear specialists, the compromised information creates a potential roadmap for identifying structural vulnerabilities. According to analysis by experts in nuclear facility security, adversaries possessing these materials could theoretically trace support system configurations, identify key suppliers and contractors, and locate potential weaknesses in the security supply chain. The Nuclear Threat Initiative's Roth emphasised that such information reveals not merely which parties have access to the project but which specific systems that access extends to—creating opportunities for sophisticated attacks targeting specific infrastructure nodes. The implications extend beyond the Kudankulam facility itself, as similar supply chain vulnerabilities likely affect other critical infrastructure across India and the broader South Asian region.

India confronts a broader cybersecurity challenge that extends well beyond this single incident. According to cybersecurity company Surfshark's analysis, India ranks third globally for data breaches, with 28.9 million accounts compromised in the previous year, trailing only the United States and France. This ranking reflects systemic vulnerabilities across the Indian corporate and governmental landscape. A 2024 report by the Data Security Council of India and cybersecurity firm Seqrite surveyed 204 organisations across the country and uncovered alarming gaps in cyber preparedness: approximately 73 percent were uncertain whether their organisations had ever experienced cyber attacks, while 57 percent acknowledged lacking adequate cyber hygiene practices. These statistics reveal that many Indian enterprises, including those managing critical infrastructure, operate without basic security standards or monitoring capabilities.

The Kudankulam facility has experienced cyber security incidents previously, indicating a pattern of vulnerability at this specific location. In 2019, malware connected to a North Korean hacker group was identified on the plant's administrative network. At that time, the Nuclear Power Corporation publicly stated that the matter was investigated promptly and that plant operational systems experienced no impact. However, the recurrence of cyber incidents at the same facility raises questions about whether remedial measures implemented following the 2019 breach were adequately comprehensive or effective. The apparent ability of threat actors to repeatedly penetrate Kudankulam's security perimeter suggests that organisational security posture may not have evolved sufficiently to match the sophistication of contemporary cyber threats.

The regional implications of this breach warrant careful consideration for Southeast Asia and South Asia more broadly. As nations throughout the region pursue nuclear energy expansion and critical infrastructure modernisation, the security vulnerabilities demonstrated at Kudankulam serve as a cautionary example of the risks inherent in rapid technological adoption without corresponding investments in cybersecurity maturity. Supply chain vulnerabilities prove especially problematic for nuclear facilities, as components and design information often flow across international borders through multiple contractors and subcontractors. Malicious actors who gain visibility into these networks can potentially identify pressure points affecting multiple facilities simultaneously. The incident highlights how deficiencies in any single nation's cyber defences create spillover risks for neighbouring countries that depend on regional stability and secure infrastructure operations.

Government officials and responsible organisations have largely remained silent regarding the incident. India's Department of Atomic Energy declined comment, while Prime Minister Modi's office did not respond to inquiries. The Nuclear Power Corporation's chairman, Rajesh Veeraraghavan, and CERT-In similarly provided no public statements. This silence reflects the sensitivity surrounding nuclear facility security matters but also limits public understanding of response measures and remedial actions being undertaken. For investors and stakeholders in India's nuclear expansion programme, the lack of transparency regarding breach response and prevention measures may create additional uncertainty about the security and long-term viability of major projects like Kudankulam's new units. As India continues developing its nuclear capacity as a cornerstone of its energy independence strategy, incidents such as this underscore the critical importance of elevating cybersecurity standards across all participating contractors and government agencies to match the sensitivity of nuclear facility operations.