A ransomware group claims to have leaked thousands of files linked to the Kudankulam Nuclear Power Project through a contractor's systems.
NPCIL says the exposed documents are unrelated to nuclear safety or security systems and that reactor operations remain unaffected.
Experts say engineering documents and supplier data can still pose security risks by revealing details about critical infrastructure.
A cache of files linked to the Kudankulam Nuclear Power Project has been published online after a cyber incident involving Reliance Infrastructure, one of the contractors working on the expansion of India's largest nuclear power plant. The incident has prompted an investigation by the Nuclear Power Corporation of India Limited (NPCIL) and the Indian Computer Emergency Response Team (CERT-In), while raising questions about how well sensitive information connected to critical infrastructure is protected.
The episode has also sparked a debate over what constitutes a cyberattack on a nuclear facility. Officials insist there is no evidence that reactor systems or nuclear safety infrastructure were compromised. Yet the reported exposure of engineering documents, supplier information and project records has drawn attention to a vulnerability: the cybersecurity of contractors and third-party service providers that support strategic infrastructure. Here is what is known so far.
What exactly was leaked?
The reported breach centres on files linked to the construction of Kudankulam's Units 3 and 4, which are still being built. Reuters reported that the ransomware group World Leaks published nearly 19,000 files, amounting to around 14.3 GB, allegedly originating from data belonging to Reliance Infrastructure. The documents date from 2016 to mid-2025 and include engineering drawings, supplier information, inspection records, meeting documents and insurance papers.
Reuters said some of the files appear to contain layouts relating to ventilation and cooling systems, lists of approved vendors, records of joint inspections carried out during construction and insurance documents. The news agency reviewed the material but noted that it could not independently verify the authenticity of every document.
NPCIL said the documents were "not related to nuclear safety or nuclear security systems", according to The Hindu. The corporation said the documents relate to the Balance of Plant package, describing these facilities as "of conventional nature" and typically found in thermal power plants and other process industries. The package covers supporting infrastructure rather than the nuclear reactor itself.
However, cybersecurity experts say the absence of reactor or safety-related information does not necessarily eliminate security risks, as engineering drawings, supplier details and project records can still provide valuable intelligence to hostile actors.
Was the nuclear power plant hacked?
There is no indication so far that Kudankulam's operational nuclear systems were breached.
The available information points instead to a compromise involving project data held by a contractor. Reliance Infrastructure secured the engineering, procurement and construction contract for common service facilities at Units 3 and 4 in 2018. As The Hindu reported, NPCIL had provided indicative drawings and technical specifications during the public tendering process, after which Reliance prepared detailed engineering designs in consultation with equipment manufacturers. Those drawings were subsequently reviewed and approved by NPCIL, which has argued that they relate to conventional project infrastructure rather than confidential reactor systems.
According to Reuters, the affected data was linked to a server hosted by third-party data centre provider Yotta rather than to NPCIL's operational networks. That distinction matters. A leak of engineering documents held by a contractor is fundamentally different from unauthorised access to reactor control systems or safety mechanisms. There is no evidence that reactor operations or nuclear safety systems were accessed or disrupted.
How did the breach happen?
Investigators are still piecing together the sequence of events, but the incident appears to have followed a familiar ransomware pattern.
Reuters reported that Yotta detected suspicious activity on a server belonging to Reliance Infrastructure on 29 May and said the suspected ransomware execution was stopped. The company later became aware of claims by external threat actors that project data had been stolen and published on the dark web. Yotta said it shared its technical findings with Reliance Infrastructure and is supporting the ongoing investigation.
The Hindu, citing sources at the project, reported that the development caused concern within Kudankulam's management and that NPCIL and CERT-In had begun examining the incident. Those sources also said suspicious activity had first been noticed in late May before reports of the alleged leak emerged weeks later.
World Leaks is known for stealing corporate data and demanding payment in exchange for not releasing it publicly. If organisations refuse to pay, the group typically publishes the stolen material on its dark web portal. Whether all the files attributed to the Kudankulam project are genuine remains under investigation.
What has Reliance Infrastructure said?
Reliance Infrastructure has acknowledged that there was a "partial breach" involving data stored on infrastructure hosted by Yotta.
In a statement carried by Reuters, the company said it had informed the government about the incident but did not specify which files, if any, had been accessed or whether the material circulating online originated from its systems. It has not publicly commented on the contents of the leaked documents.
NPCIL has simultaneously sought to reassure the public that the incident should not be interpreted as a compromise of the country's nuclear safety framework. As reported by The Hindu, it maintains that the exposed information relates to conventional project infrastructure rather than critical reactor systems.
Why are cybersecurity experts concerned?
The concern is less about immediate operational risk and more about the intelligence value of technical information.
Nickolas Roth of the Nuclear Threat Initiative told Reuters that the leaked files could "show an adversary not just who has access to the project but which systems that access reaches". Individually, such documents may appear routine, but together they can help map support infrastructure, reveal supply chains and identify potential weak points that could be exploited in future cyber or physical attacks.
The incident also illustrates a wider trend in cyberattacks against critical infrastructure. Rather than attempting to penetrate heavily protected operational systems directly, attackers increasingly target contractors, vendors and service providers that may hold extensive project information while operating under different cybersecurity controls.
Does this expose weaknesses in India's critical infrastructure?
The Kudankulam incident does not, based on the information available, demonstrate that India's nuclear reactors or safety systems have been compromised. It does, however, underline the growing importance of securing the wider ecosystem that supports critical infrastructure projects.
The case has inevitably drawn comparisons with the 2019 malware incident involving Kudankulam's administrative network, when NPCIL said reactor operations remained unaffected. Although the two incidents differ, both reinforce the same lesson: cyber resilience depends not only on protecting operational technology but also on safeguarding contractors, suppliers and shared digital infrastructure.
The incident also highlights a broader challenge facing critical infrastructure operators. Nuclear facilities typically maintain strict separation between operational systems and external networks, but contractors often handle engineering documents, procurement records and technical data outside those tightly controlled environments. Protecting those organisations is therefore as important as protecting the facility itself.
As India expands its nuclear power programme and other strategic infrastructure, cybersecurity will increasingly need to extend beyond plant operators to every organisation handling sensitive engineering data. The Kudankulam incident is therefore less a story about compromised reactor controls than about the risks posed by an increasingly complex network of contractors, suppliers and digital service providers supporting India's critical infrastructure.


























