New Delhi: India’s largest nuclear power project has come under fresh cybersecurity scrutiny after a ransomware group claimed to have leaked thousands of files allegedly linked to the Kudankulam Nuclear Power Plant in Tamil Nadu. The Nuclear Power Corporation of India Limited (NPCIL), however, has maintained that the incident has not compromised any systems related to nuclear safety or plant operations.
In a media release on Wednesday, NPCIL’s executive director (CP&CC) and outstanding scientist, Prateek Agrawal, said the documents circulating on the dark web pertain solely to the “Common Services – Balance of Plant” (BoP) package for Units 3 and 4 of the Kudankulam project, both currently under construction in Tamil Nadu. “They are not related to nuclear safety or nuclear security systems,” the statement said.
The clarification followed reports that a ransomware group, World Leaks – formerly known as Hunters International – had published close to 19,000 files, amounting to roughly 14.3 gigabytes of data, allegedly sourced from Reliance Infrastructure, the Anil Ambani-led firm contracted for the Kudankulam expansion. Reuters, which reviewed the material, said the documents were dated between 2016 and mid-2025 and could not have their authenticity independently verified.
The leaked files reportedly include engineering drawings of ventilation and cooling systems, layouts of common control rooms, approved supplier lists, vendor proposals, inspection reports from a 2024 joint review by NPCIL and Reliance, equipment photographs, internal meeting records and insurance documentation, including a policy said to cover losses of up to $112 million in the event of a terrorist act against Unit 3 or Unit 4.
NPCIL said the engineering, procurement and construction contract for the BoP package was awarded to Reliance Infrastructure in 2018 through open tendering, and that the company had prepared detailed drawings in consultation with the relevant original equipment manufacturers, based on indicative specifications supplied during bidding. The reactor systems themselves, the corporation reiterated, are engineered separately by Russia’s state-run Rosatom and were never part of the exposed dataset.
Reliance Infrastructure has acknowledged what it called a partial breach, tracing the incident to a server hosted at a facility run by third-party data centre operator Yotta. Yotta said it had detected suspicious activity on the server on May 29, 2026, and halted an attempted ransomware execution before it could proceed, though it added that investigations into the extent of the compromise were continuing after the group later claimed to possess stolen data.
The acting chairman and managing director of NPCIL, Rajesh V, said the exposed information was confined to what he described as balance of plant systems, unconnected to the operational core of the reactors. The Computer Emergency Response Team (CERT-In) is examining the breach alongside NPCIL to determine how the data was accessed and whether any classified material was involved. Reuters said the Department of Atomic Energy declined to comment, while the Prime Minister’s Office and CERT-In did not respond to queries.
Not everyone has been as sanguine. Nickolas Roth, a senior director at the Washington-based Nuclear Threat Initiative, said the leak could still pose a serious risk, noting that supplier lists, facility layouts and inspection records could help a hostile actor map support systems and identify weak points in the plant’s security chain, even without touching reactor controls directly.
This is not the first cybersecurity scare at Kudankulam. In 2019, malware linked to the North Korea-associated Lazarus Group was found on the plant’s internet-connected administrative network. NPCIL said at the time that the malware never reached the isolated operational systems and that power generation was unaffected throughout.
Kudankulam currently has two operational 1,000MW units, with Units 3 and 4 expected to add a further 2,000MW by 2027 and take the site towards a planned capacity of 6,000MW. The episode adds to a broader debate in India’s strategic establishment about whether cybersecurity investment at critical infrastructure sites is keeping pace with the country’s rapid nuclear expansion, particularly where private contractors and external data centres form part of the supply chain.
