The 2019 Lazarus-linked malware targeted Kudankulam's administrative network without affecting reactor operations
The 2026 World Leaks breach exposed sensitive contractor documents through a third-party server rather than the plant's operational systems
The incidents highlight stronger protection of core nuclear systems but continuing vulnerabilities across contractors and supply chains
India's largest nuclear power station at Kudankulam has twice become the focus of major cybersecurity concerns within seven years. While the 2019 incident involved malware linked to the North Korea-backed Lazarus Group, the latest 2026 breach is centred on ransomware group World Leaks, which claims to have leaked thousands of sensitive project documents.
Together, the two episodes illustrate how cyber threats targeting critical infrastructure have shifted from covert espionage to data theft and extortion, while raising questions about the country's cyber preparedness.
Revisiting the 2019 Kudankulam malware incident
The first major cybersecurity scare emerged in October 2019 when the Nuclear Power Corporation of India Ltd. (NPCIL) confirmed that malware had infected a computer connected to the plant's administrative network. Cybersecurity researchers attributed the attack to DTrack malware associated with the Lazarus Group.
NPCIL maintained that the reactor control systems remained isolated through air-gapped networks and that operational safety was never compromised. However, the incident exposed weaknesses in non-operational systems and highlighted that even segregated critical infrastructure depends on digital administrative networks for routine operations.
Understanding the 2026 ransomware breach
The latest incident differs significantly in both method and objective. Reuters reported that ransomware group World Leaks published nearly 19,000 files allegedly linked to the Kudankulam Nuclear Power Plant after compromising data associated with contractor Reliance Infrastructure. The company acknowledged a partial breach involving a third-party server hosted by Yotta, while authorities launched an investigation.
The leaked material reportedly includes engineering drawings, supplier information, inspection records and insurance documents connected largely to Units 3 and 4 under construction. NPCIL has stated that no files relating to nuclear safety systems or reactor operations were compromised and that the plant's core operational network remains secure.
How attack techniques have evolved
The contrast between the two incidents reflects broader changes in global cyber threats.
The 2019 malware operation appeared focused on stealth, intelligence gathering and long-term access. Such advanced persistent threats typically seek sensitive information while remaining undetected.
The 2026 incident follows a different model. Modern ransomware groups increasingly combine data theft with public disclosure and extortion rather than merely encrypting systems. Instead of disrupting reactor operations, attackers aim to pressure organisations by exposing confidential corporate documents and engineering information.
Why administrative systems still matter
Both incidents underline that cyber risks extend beyond reactor control rooms.
Administrative systems contain procurement records, vendor details, engineering plans, employee information and project documentation. Even if operational networks remain isolated, stolen administrative data can assist hostile actors in mapping infrastructure, identifying suppliers or planning future attacks.
Experts note that contractors and third-party service providers have become attractive entry points because they often maintain digital connections with strategic projects while operating under different cybersecurity standards.
What changed after 2019?
Since the Lazarus incident, India has strengthened cyber audits, incident reporting and monitoring of critical infrastructure through agencies including CERT-In and sector-specific security mechanisms. Organisations handling strategic assets have also expanded network segmentation, endpoint monitoring and supply-chain risk assessments.
The current investigation indicates faster coordination among government agencies, plant operators and private contractors than was visible during the 2019 episode.
Has India become more resilient—or merely more reassuring?
The evidence suggests both progress and continuing vulnerabilities.
Operational reactor systems appear better protected through network isolation, but the World Leaks breach demonstrates that contractors, cloud infrastructure and administrative databases remain exposed. As India's nuclear capacity expands, cybersecurity will increasingly depend not only on securing reactors but also on protecting the wider digital ecosystem that supports them.



























