Ransomware group World Leaks has posted on the dark web a large cache of files related to India’s largest nuclear power plant, including purported blueprints of parts of its facilities and supplier details, which it labelled as coming from Reliance Group.
The Kudankulam Nuclear Power Plant, located in the southern state of Tamil Nadu, is the largest of India’s seven nuclear power plants and is central to Prime Minister Narendra Modi’s plans to expand the country’s atomic energy capacity.
Indian businessman Anil Ambani’s Reliance Group, one of the plant’s contractors, told Reuters in a statement that there had been a “partial breach” of its data on a server hosted by third-party Indian data centre service provider Yotta, and that the government had been informed about the incident.
Reliance did not disclose what data had been breached.
The data breach could pose a “serious” risk to the safety of the plant, said Nickolas Roth, senior director at the Nuclear Threat Initiative, which advises governments and benchmarks countries’ preparedness on nuclear security. The breach also underscores how hacks have become more common in India, where many companies are ill-equipped to deal with such threats.
Reuters reviewed the documents, which were dated from 2016 to mid-2025, but could not verify their authenticity. In addition to some blueprints and supplier details, they purportedly show meeting and inspection records, equipment reviews and insurance policies.
The 19,000 files appeared to be the most sensitive of a total of 858,000 Reliance files on the World Leaks website.
One of the conglomerate’s subsidiaries, Reliance Infrastructure, won a contract in 2018 to design and build infrastructure for Unit 3 and Unit 4 of the plant. Both units, which are still under construction, are due to become operational by 2027 and are slated to provide a combined capacity of 2,000 megawatts.
World Leaks, a well-known ransomware group that has previously targeted Nike and India’s Tata Group, did not respond to Reuters’ queries on the Reliance data breach. The group typically posts stolen corporate data on its website after companies decline to pay the ransom it demands. Its website can only be accessed using a specialised browser.
In June, World Leaks told Reuters it had sought $1.5 million in ransom for Tata Group files containing confidential component designs belonging to clients Apple and Tesla, adding that it posted the data after Tata “ignored” its demand.
SUSPICIOUS ACTIVITY ON SERVER IN MAY
The Nuclear Power Corporation of India, which commissions and operates the country’s nuclear power plants, has been communicating with Reliance about the breach, and India’s main cybersecurity agency — the Indian Computer Emergency Response Team (CERT-In) — is looking into the incident, according to a source familiar with the matter. The source declined to be identified because of the sensitivity of the issue.
Nuclear Power Corporation Chairman Rajesh Veeraraghavan, CERT-In and the government’s main press office did not respond to repeated requests for comment.
Yotta said in a statement that it detected suspicious activity on May 29 on a server it hosts for Reliance Infrastructure. It said the activity was immediately terminated and the suspected ransomware execution was prevented, but Reliance Infrastructure informed it at the end of June that “external threat actors” had claimed there had been a data breach.
Yotta said it has not been able to verify the claims made by the “threat actor”, but added that it has shared its detailed technical investigation with Reliance Infrastructure and is supporting the ongoing investigation.
India’s Department of Atomic Energy declined to comment, while Modi’s Office did not respond to Reuters’ queries.
BLUEPRINTS AND INSURANCE POLICIES
The documents posted on World Leaks do not appear to relate to the nuclear reactors’ core systems, which are supplied by Russia’s state-owned Rosatom.
They did contain purported blueprints for the ventilation and cooling systems used in Unit 3 and Unit 4, as well as what appeared to be the complete floor layout of a “common control room”.
The files also included what appeared to be vendor proposals, a list of approved suppliers, and a record of a 2024 meeting on a joint inspection by the Nuclear Power Corporation and Reliance, with photographs of equipment.
Another document purports to show that Reliance Infrastructure and the Nuclear Power Corporation had taken out an insurance policy that would entitle them to $112 million if either Unit 3 or Unit 4 were to suffer an act of terrorism.
The files, in the hands of malicious actors, could in theory be exploited to map the plant’s support systems, identify its suppliers and pinpoint weaknesses in its security chain, according to researchers.
They could “show an adversary not just who has access to the project but which systems that access reaches,” said Roth.
India ranked third among countries reporting the highest number of data breaches, with 28.9 million accounts compromised last year, behind only the United States and France, according to cybersecurity company Surfshark.
A report last year by the Data Security Council of India and cybersecurity firm Seqrite said that, of the 204 organisations surveyed across India, about 73 per cent were “unaware if they have ever been attacked”, while 57 per cent lacked cyber hygiene practices.
It is also the second time that the Kudankulam plant has been linked to a cyber incident. Malware tied to a North Korean hacker group was found on the plant’s administrative network in 2019. At the time, the Nuclear Power Corporation said the matter was investigated immediately and that plant systems were not affected.