NPCIL cyber attack explained: What was leaked in the Kudankulam data breach?
Thousands of files allegedly linked to the Kudankulam Nuclear Power Plant (KKNPP) surfaced on the dark web after ransomware group World Leaks claimed to have breached the systems of one of the project's contractors. The documents reportedly include engineering drawings, vendor details, inspection re

Thousands of files allegedly linked to the Kudankulam Nuclear Power Plant (KKNPP) surfaced on the dark web after ransomware group World Leaks claimed to have breached the systems of one of the project's contractors. The documents reportedly include engineering drawings, vendor details, inspection records and other project-related files spanning nearly a decade.While the Nuclear Power Corporation of India Limited (NPCIL) has maintained that none of the leaked information relates to nuclear safety or reactor systems, cybersecurity experts say even non-classified infrastructure documents could reveal details about a strategic facility's support systems and supply chain. Here's what is known so far.What happened?Cybersecurity researchers reported that ransomware group World Leaks uploaded around 19,000 files, totalling nearly 14.3 GB, to its dark web leak site. The files were tagged with "KKNP", an acronym referring to the Kudankulam Nuclear Power Plant in Tamil Nadu.According to Reuters, the documents appear to date from 2016 to mid-2025 and include engineering drawings, supplier information, inspection records, meeting minutes and insurance documents related to the construction of Units 3 and 4 at the plant.Reuters reviewed the files but said it could not independently verify their authenticity.The alleged leak came to light after independent cybersecurity researcher Rakesh Krishnan alerted Reuters to the data.How did the breach occur?Investigators believe the attackers did not directly compromise NPCIL's nuclear systems.Instead, the breach appears to have originated from Reliance Infrastructure, which was awarded the engineering, procurement and construction (EPC) contract in 2018 for common infrastructure associated with Kudankulam Units 3 and 4.Reliance Infrastructure said the incident involved a server hosted by third-party data centre provider Yotta Data Services.According to Yotta, suspicious ransomware activity was detected on May 29 and was immediately contained before the ransomware could execute. However, by the end of June, Reliance informed the company that external threat actors were claiming to possess stolen data.Reliance has acknowledged a "partial breach" but has not disclosed exactly what information was accessed. The company said the incident has been reported to the Indian Computer Emergency Response Team (CERT-In), and that Yotta has since implemented enhanced monitoring and additional security controls.What information was reportedly leaked?According to Reuters and cybersecurity researchers, the leaked cache reportedly includes engineering drawings of cooling and ventilation systems, layout plans of a common control room, vendor proposals and supplier lists, equipment review and inspection records, minutes of meetings involving Indian and Russian engineers, and internal insurance documents. Among the latter is a reported USD 112 million terrorism insurance policy covering the under-construction Units 3 and 4.Experts say such information could potentially help attackers map a facility's support infrastructure, identify contractors and suppliers, and understand operational processes.However, there is no evidence that the files contain reactor control software, nuclear fuel management systems or classified reactor design information.What has NPCIL said?NPCIL has strongly rejected suggestions that sensitive nuclear information was compromised.In a statement issued on July 15, the corporation said the documents relate only to the Balance of Plant (BoP) common service facilities associated with Units 3 and 4. In a nuclear power station, the Balance of Plant refers to all supporting infrastructure required for the plant to function, excluding the reactor itself.These facilities include conventional infrastructure used to support plant operations and are comparable to systems found in thermal power stations and other industrial facilities. This can include systems such as cooling water infrastructure, ventilation systems, electrical distribution, buildings and common service facilities and water treatment and other utility networks.NPCIL said these systems are not related to nuclear safety or nuclear security. According to them, the information now circulating online relates only to these conventional engineering documents.While these systems are essential for plant operations, they are distinct from the reactor, nuclear fuel handling systems and other safety-critical components.The corporation explained that, as part of the public tender process, it had shared indicative drawings and technical specifications with bidders. Reliance Infrastructure then prepared detailed engineering drawings, which NPCIL reviewed before approval.NPCIL maintains that the leaked information relates only to these conventional facilities.Even if reactor control systems remain untouched, experts say infrastructure-related documents can still have security implications.According to Nickolas Roth of the Nuclear Threat Initiative, information about suppliers, layouts and support systems could allow adversaries to better understand the plant's ecosystem and identify potential vulnerabilities elsewhere in the supply chain.Modern cyberattacks increasingly target contractors and vendors rather than the primary organisation itself, making third-party security an important part of protecting critical infrastructure.Previous breaches at KudankulamThis is not the first cyber incident involving Kudankulam. In 2019, malware known as Dtrack, later linked by cybersecurity firms to North Korea's Lazarus Group, was detected on an administrative network at the Kudankulam plant.NPCIL initially denied reports of a cyberattack but later confirmed that an administrative computer had been infected.At the time, the corporation said the affected system was isolated from the reactor control network, which operates on a separate, air-gapped system not connected to the internet. It maintained that nuclear operations remained unaffected.What happens next?CERT-In is investigating the incident alongside NPCIL and Reliance Infrastructure to determine how attackers gained access to the contractor's systems and whether additional safeguards are required.The investigation is expected to focus on identifying weaknesses in third-party networks and strengthening cybersecurity standards across the supply chains supporting critical infrastructure projects.For now, there is no evidence that the breach affected the operational or safety systems of the Kudankulam Nuclear Power Plant.