A criminal ransomware group known as World Leaks has published a substantial collection of documents tied to the Kudankulam Nuclear Power Plant on the dark web, marking a significant security incident for India's atomic energy programme. The files allegedly originate from Reliance Group, a major contractor working on the facility, and encompass an estimated 19,000 sensitive documents alongside nearly 858,000 other company records. The disclosed materials reportedly include structural blueprints for sections of the plant, supplier contact information, equipment specifications, and meeting records dating from 2016 through mid-2025. While Reuters examined the documents, the authenticity of the leaked files has not been independently confirmed.

Located in Tamil Nadu in southern India, the Kudankulam Nuclear Power Plant represents the country's most substantial atomic energy installation among seven operational facilities. The facility occupies a central position in Prime Minister Narendra Modi's strategic vision for expanding India's nuclear power generation capacity, a cornerstone of the nation's long-term energy security and carbon reduction objectives. The plant's expansion to Units 3 and 4 is expected to deliver combined generating capacity of 2,000 megawatts once both reactors reach operational status in 2027, demonstrating India's continued investment in nuclear infrastructure despite international concerns about security standards.

Reliance Group acknowledged the incident through a formal statement to Reuters, confirming that unauthorised access had occurred on a server managed by Yotta, a third-party data centre operator based in India. The company characterised the breach as partial in scope, noting that India's government had been informed through proper channels. However, Reliance declined to specify which categories of data had been compromised or provide detailed information about the extent of exposure. This reticence mirrors common corporate responses to such incidents, where companies often limit transparency to minimise reputational damage while remaining compliant with disclosure obligations.

The timing and discovery of the breach reveal important details about how such incidents unfold. Yotta identified suspicious activity originating from the compromised server on May 29, and reported that it immediately terminated the malicious access and prevented what appeared to be ransomware execution. However, Reliance Infrastructure did not notify Yotta of external threat claims until late June, suggesting either a delayed recognition of the breach's severity or a gap in internal communication protocols between the contractor and its service provider. This timeline compression—from May detection to late-June notification—underscores operational vulnerabilities in how critical infrastructure partners handle security incidents.

Nuclear security experts have flagged the potential consequences of exposing such technical documentation. Nickolas Roth, a senior security analyst at the Nuclear Threat Initiative, characterised the breach as posing serious risks to plant safety, explaining that adversaries could leverage the leaked information to understand support systems, identify vulnerable suppliers, and map security weaknesses throughout the facility's operational chain. The disclosed documents purportedly include ventilation and cooling system blueprints for Units 3 and 4, complete floor layouts of the control room, vendor approval lists, and records of joint inspections between the Nuclear Power Corporation and Reliance. Additionally, one document suggests that both organisations had secured terrorism insurance coverage worth $112 million for either reactor, a detail that might interest potential threat actors assessing target value.

Critically, the leaked materials do not appear to contain designs for the reactors' core nuclear systems, which remain under exclusive Russian supply through Rosatom, the state-owned nuclear corporation. This distinction suggests a compartmentalisation of sensitive technical knowledge, though peripheral systems supporting reactor operations remain dangerously exposed. The vulnerability extends across the supply chain, with vendor information and approved supplier lists now available to parties with malicious intent. Such exposure could enable sophisticated adversaries to identify pressure points within India's nuclear infrastructure ecosystem and potentially infiltrate the network through less-protected suppliers.

World Leaks has established itself as a consequential threat actor in the global ransomware landscape, having previously targeted multinational corporations including Nike and India's Tata Group. The group operates according to a conventional extortion model: seeking initial ransom payments, then publishing stolen data on the dark web when companies refuse demands or fail to negotiate. In June, the group disclosed having sought $1.5 million from Tata Group for confidential component designs belonging to Apple and Tesla, materials that were published after what World Leaks characterised as Tata's non-response to ransom demands. The group did not respond to Reuters inquiries regarding the Kudankulam-related files or associated ransom demands.

India's nuclear regulatory apparatus has mobilised in response to the incident. The Nuclear Power Corporation, which oversees commissioning and operations across the country's atomic fleet, has engaged in ongoing communication with Reliance regarding the breach and its implications. India's primary cybersecurity response agency, the Indian Computer Emergency Response Team (CERT-In), has initiated its own investigation into the incident. However, senior officials including Nuclear Power Corporation Chairman Rajesh Veeraraghavan, representatives of CERT-In, and India's Department of Atomic Energy have declined to provide public statements or detailed commentary on the scope of government response. Prime Minister Modi's office similarly did not respond to inquiries, suggesting official preference for managing the situation through non-public channels during the investigative phase.

This breach represents a recurrence rather than an isolated incident affecting Kudankulam. In 2019, malware linked to North Korean state-sponsored hacking groups was discovered on the plant's administrative network, marking the first publicly acknowledged cyber incident at the facility. Although the Nuclear Power Corporation subsequently maintained that plant systems were not affected and the matter had been investigated thoroughly, the reemergence of cybersecurity threats suggests persistent vulnerabilities within India's nuclear infrastructure defences. The two incidents, separated by six years, indicate systemic challenges rather than isolated lapses.

Broader patterns in India's cybersecurity landscape illuminate the contextual factors enabling such breaches. According to cybersecurity firm Surfshark, India ranks third globally among nations experiencing the highest volume of data compromises, with 28.9 million accounts compromised during the past year, trailing only the United States and France. A comprehensive assessment released last year by the Data Security Council of India and cybersecurity firm Seqrite surveyed 204 organisations across the country and found alarming deficiencies: approximately 73 percent of respondents were unable to confirm whether they had experienced cyberattacks, while 57 percent failed to maintain basic cyber hygiene practices. These statistics underscore how many Indian enterprises, including those managing critical infrastructure contracts, operate without fundamental security controls or awareness protocols.

For Southeast Asian observers, the Kudankulam breach carries significant implications. Several nations within the region have initiated or expanded nuclear power programmes, viewing atomic energy as essential for meeting growing electricity demand while reducing carbon emissions. Malaysia, Vietnam, and Indonesia have explored nuclear capacity development, and Thailand has discussed resumed nuclear programmes. The technical and operational vulnerabilities exposed at Kudankulam—encompassing inadequate contractor security practices, delayed threat detection, and gaps in critical infrastructure supply chain visibility—present cautionary lessons for regional governments designing regulatory frameworks and security standards for their own nuclear initiatives. The incident demonstrates that even established nuclear operators in large economies struggle to protect sensitive infrastructure from sophisticated threat actors, a reality that should inform regional policymaking.

The exposure of Reliance's files also raises questions about the adequacy of data centre security standards and third-party risk management practices within India's critical infrastructure ecosystem. Reliance Infrastructure won its contract for Units 3 and 4 in 2018, positions it as a long-term stakeholder in India's nuclear expansion strategy. Yet its security posture, as evidenced by the breach, fell short of standards typically expected for organisations handling sensitive atomic energy documentation. The incident underscores the necessity for governments across Asia to establish stringent vendor qualification requirements, mandatory security certifications, and ongoing compliance auditing for all contractors involved in nuclear infrastructure projects. Without such frameworks, the chain remains vulnerable at its weakest link, regardless of how robust the primary facility's defences might be.