Advertisement
X

From Lazarus To World Leaks: What Two Kudankulam Cyberattacks Reveal About India's Cybersecurity

The Kudankulam cyber incidents of 2019 and 2026 show how threats to India's critical infrastructure have evolved from espionage-focused malware to ransomware-driven data breaches

From Lazarus To World Leaks: What Two Cyber Incidents At The Kudankulam Nuclear Power Plant Reveal About India's Cybersecurity
Summary
  • The 2019 Lazarus-linked malware targeted Kudankulam's administrative network without affecting reactor operations

  • The 2026 World Leaks breach exposed sensitive contractor documents through a third-party server rather than the plant's operational systems

  • The incidents highlight stronger protection of core nuclear systems but continuing vulnerabilities across contractors and supply chains

India's largest nuclear power station at Kudankulam has twice become the focus of major cybersecurity concerns within seven years. While the 2019 incident involved malware linked to the North Korea-backed Lazarus Group, the latest 2026 breach is centred on ransomware group World Leaks, which claims to have leaked thousands of sensitive project documents.

Together, the two episodes illustrate how cyber threats targeting critical infrastructure have shifted from covert espionage to data theft and extortion, while raising questions about the country's cyber preparedness.

Revisiting the 2019 Kudankulam malware incident

The first major cybersecurity scare emerged in October 2019 when the Nuclear Power Corporation of India Ltd. (NPCIL) confirmed that malware had infected a computer connected to the plant's administrative network. Cybersecurity researchers attributed the attack to DTrack malware associated with the Lazarus Group.

NPCIL maintained that the reactor control systems remained isolated through air-gapped networks and that operational safety was never compromised. However, the incident exposed weaknesses in non-operational systems and highlighted that even segregated critical infrastructure depends on digital administrative networks for routine operations.

Understanding the 2026 ransomware breach

The latest incident differs significantly in both method and objective. Reuters reported that ransomware group World Leaks published nearly 19,000 files allegedly linked to the Kudankulam Nuclear Power Plant after compromising data associated with contractor Reliance Infrastructure. The company acknowledged a partial breach involving a third-party server hosted by Yotta, while authorities launched an investigation. 

The leaked material reportedly includes engineering drawings, supplier information, inspection records and insurance documents connected largely to Units 3 and 4 under construction. NPCIL has stated that no files relating to nuclear safety systems or reactor operations were compromised and that the plant's core operational network remains secure. 

How attack techniques have evolved

The contrast between the two incidents reflects broader changes in global cyber threats.

The 2019 malware operation appeared focused on stealth, intelligence gathering and long-term access. Such advanced persistent threats typically seek sensitive information while remaining undetected.

Advertisement

The 2026 incident follows a different model. Modern ransomware groups increasingly combine data theft with public disclosure and extortion rather than merely encrypting systems. Instead of disrupting reactor operations, attackers aim to pressure organisations by exposing confidential corporate documents and engineering information.

Why administrative systems still matter

Both incidents underline that cyber risks extend beyond reactor control rooms.

Administrative systems contain procurement records, vendor details, engineering plans, employee information and project documentation. Even if operational networks remain isolated, stolen administrative data can assist hostile actors in mapping infrastructure, identifying suppliers or planning future attacks.

Experts note that contractors and third-party service providers have become attractive entry points because they often maintain digital connections with strategic projects while operating under different cybersecurity standards. 

What changed after 2019?

Since the Lazarus incident, India has strengthened cyber audits, incident reporting and monitoring of critical infrastructure through agencies including CERT-In and sector-specific security mechanisms. Organisations handling strategic assets have also expanded network segmentation, endpoint monitoring and supply-chain risk assessments.

Advertisement

The current investigation indicates faster coordination among government agencies, plant operators and private contractors than was visible during the 2019 episode. 

Has India become more resilient—or merely more reassuring?

The evidence suggests both progress and continuing vulnerabilities.

Operational reactor systems appear better protected through network isolation, but the World Leaks breach demonstrates that contractors, cloud infrastructure and administrative databases remain exposed. As India's nuclear capacity expands, cybersecurity will increasingly depend not only on securing reactors but also on protecting the wider digital ecosystem that supports them.

Published At:
US