


Prayukth K V
Subject: Ransomware-Based Data Leak of Kudankulam Nuclear Power Plant Construction & Engineering Files
Target Entity: Reliance Group (Contractor) / Kudankulam Nuclear Power Plant (KKNPP) Units 3 and 4
Threat Actor: World Leaks (Rebranded from Hunters International)
Date of Issue: July 15, 2026
In July 2026, the data-extortion group World Leaks published a massive cache of stolen documents on the dark web. The actors claimed the files were exfiltrated from the Indian conglomerate Reliance Group, a key engineering contractor for the Kudankulam Nuclear Power Plant (KKNPP) in Tamil Nadu, India.
The Kudankulam Nuclear Power Plant (KKNPP) is India's largest nuclear power station, located in the Tirunelveli district of Tamil Nadu. Built in collaboration with Russia. The plant is central to India's clean energy goals and features six Russian-designed VVER-1000 reactors aimed at producing a total of 6,000 MW of electricity.
Of the approximately 858,000 total files leaked from Reliance Group, over 19,000 files are explicitly related to the Kudankulam nuclear project. Reliance Group has confirmed that a "partial breach" occurred on a server hosted by third-party data center provider Yotta.
Why this incident matters
Critical infrastructure operators often rely on layered physical security, access controls, operational segregation, and protection of sensitive engineering information. While there is no evidence indicating that operational, active reactor control networks (Operational Technology, or OT) were directly breached, the exposure of high-fidelity engineering blueprints, ventilation layouts, and plant floor designs provides hostile nation-states and sophisticated threat actors with the precise physical and logical maps needed to plan future kinetic or cyber operations.
Breach of the supplier list is a worrying factor. Threat actors and even adversarial nations with geo-political interests can use this information to plan a coordinated supply chain infiltration exercise while gaining sufficient knowledge to figure out critical operational details. Exposure of supplier profiles can put future nuclear plants at risk from supply chain infiltration attempts as well.
Initial impact assessment
OT systems impact: None. Reactor control systems and active operations remain isolated and uncompromised.
Data compromised: Over 19,000 files including technical blueprints, floor layouts of a common control room, ventilation and cooling designs, inspection reports, supplier lists, and insurance policies.
Affected plant components: Primarily Units 3 and 4 of KKNPP, which are currently under construction and scheduled to become operational by 2027.
Financial and operational impact: High reputational damage to the contractor ecosystem, potential delays in the commissioning of Units 3 & 4 due to security re-evaluations, and increased supply-chain vulnerability.
Strategic importance for critical infrastructure
This breach marks a critical shift in how adversaries target highly secured environments. Rather than attempting a direct intrusion into heavily fortified nuclear administrative networks, threat actors chose the path of least resistance: the third-party contractor and cloud data center supply chain. This is why the reconnaissance attacks on critical infrastructure supply chain entities upstream and downstream are growing. Threat actors are probing such infrastructure and facilities to identify entry points.
This incident proves that a critical facility's perimeter is only as strong as its least-secure contractor's digital repository.
Incident overview

Discovery
On May 29, Indian data center provider Yotta detected suspicious activity on a hosted server utilized by Reliance Group. While Yotta reported that the immediate execution of a ransomware payload was successfully prevented, it was later discovered that data exfiltration had already been executed silently prior to the containment of the attack.
Public disclosure
On July 15, 2026, international news agencies (led by Reuters) reported that World Leaks had published the exfiltrated files on its dark web data leak site (DLS). Reliance Group subsequently issued a public statement confirming a "partial breach" of a hosted server, acknowledging that they had notified government authorities, including the Indian Computer Emergency Response Team (CERT-In).
Current investigation status
The investigation is actively being conducted by CERT-In in coordination with the Nuclear Power Corporation of India Limited (NPCIL). The investigation is focusing on:
· identifying the impacted zones and any residual payloads that may still be lurking in any of the networks connected with these zones
· absolute authenticity of the exposed files
· failure of controls that led to the incident
· evaluating the systemic supply-chain impact,
· implementing defensive countermeasures to secure the physical and digital perimeters of KKNPP Units 3 & 4.
· checking if the threat actor has retained any information beyond what was released
Technical analysis
Nature of the exposed data
The 19,000+ leaked files primarily consist of technical design and construction documentation dated between 2016 and mid-2025. These materials correspond directly to the development of Units 3 and 4. Notably, the leaked files do not contain designs for the primary reactor cores. These are supplied and managed by Russia’s state-owned atomic energy corporation, Rosatom.
Systems impacted
The compromise was strictly isolated to a third-party, offsite enterprise IT cloud environment.
Primary victim: Yotta Data Center (Specifically hosting infrastructure leased by Reliance Group/Reliance Infrastructure).
Operational Technology (OT) status: There is zero evidence or technical indication of lateral movement into the physical OT network or the Distributed Control Systems (DCS) of KKNPP. The reactor control systems operate on air-gapped networks completely separate from third-party contractor systems.
Categorization of attack
This incident is classified as a third-party supply-chain compromise leveraging single-extortion (data theft and public exposure) tactics. While the threat actor originates from a ransomware background, they bypassed payload encryption in this campaign, focusing entirely on exfiltration and leverage-based extortion.
Relationship: Contractor to nuclear facility
Reliance Infrastructure was awarded a contract in 2018 to design, engineer, and build essential Balance of Plant (BOP) infrastructure for Units 3 and 4. Because BOP systems encompass critical supporting utilities such as secondary cooling loops, backup power generators, and ventilation, the contractor possessed highly detailed physical and engineering schematics of the plant's structural layout.
Threat actor analysis
Profile: World Leaks
The attack has been claimed by World Leaks, an active data extortion collective.
Attribution confidence: High
Threat intelligence analysts track World Leaks as a direct rebrand of Hunters International, a Russian-speaking Ransomware-as-a-Service (RaaS) group that emerged in late 2023. Hunters International was widely believed to have inherited code and infrastructure from the defunct Hive ransomware gang. Following claims of a shutdown in late 2024 due to law enforcement pressure, the group transitioned to an extortion-only model under the "World Leaks" moniker in January 2025.
Known TTPs
Initial Access: Primarily opportunistic. Exploits known vulnerabilities in public-facing appliances (such as VPNs, firewalls) or leverages compromised, valid credentials where Multi-Factor Authentication (MFA) is absent or misconfigured.
Tooling: Utilizes a custom-built, automated file exfiltration tool (derived from Hunters' "Storage Software" utility) to quickly locate and exfiltrate high-value target files.
Evasion: Disguises malicious payloads (such as their signature SharpRhino RAT) within legitimate Nullsoft Scriptable Installers (NSIS) to bypass standard Endpoint Detection and Response (EDR) signatures.
Exfiltration: Frequently leverages tools like Rclone and WinSCP to exfiltrate gigabytes of data to actor-controlled cloud storage before issuing extortion demands.
Historical campaigns
World Leaks/Hunters International has targeted major international entities across healthcare, manufacturing, and critical technology. Notably, in June 2026, the group compromised Apple supplier Tata Electronics, leaking 630 GB of schematics and supply chain agreements.
This threat actor has developed a strong interest in Indian conglomerates and networks connected with critical infrastructure here. While the threat actor has released the exfiltrated information, it is possible that it may have information that it may sell to state actors that may misuse this very information.
Nature of the exposed information
The exposed cache contains document categories that, while not classified as "weapons-grade state secrets," provide immense reconnaissance value to adversaries:
Engineering blueprints: Specifically detailing ventilation systems, secondary cooling piping, and structural designs for Units 3 & 4.
Physical layouts: Floor plans of the common control room and physical security access points.
Vendor ecosystem data: Master lists of suppliers, equipment review logs, and procurement records.
Administrative records: Insurance policies, inspection reviews, and internal meeting minutes.
The danger of "non-sensitive" data aggregation
Individually, an insurance policy or a ventilation schematic may seem harmless. However, when compiled, they facilitate Architectural Intelligence (ARCINT) gathering:
The Mosaic Effect: An adversary can overlay ventilation blueprints with control room layouts and vendor lists. This allows them to identify physical vulnerabilities (e.g., where physical security is weak), locate single-point-of-failure equipment, determine which third-party hardware contains exploitable vulnerabilities, and target specific engineers with hyper-realistic spear-phishing campaigns.
MITRE ATT&CK Mapping
The following techniques are mapped based on World Leaks’ established TTPs and the observed technical characteristics of the KKNPP contractor breach:
Tactic | Technique ID | Technique Name | Confidence | Operational Context |
Initial Access | T1133 | External Remote Services | High | Exploitation of VPNs or RDP servers lacking robust MFA. |
T1190 | Exploit Public-Facing Application | Medium | Opportunistic exploitation of known edge vulnerabilities. | |
Execution | T1204.002 | User Execution: Malicious File | Medium | Phishing campaigns dropping SharpRhino RAT inside fake installers. |
Defense Evasion | T1027 | Obfuscated Files or Information | High | Packaging payloads within NSIS installers to bypass EDR. |
Discovery | T1083 | File and Directory Discovery | High | Automated scanning scripts to target engineering and design documents. |
Exfiltration | T1567.002 | Exfiltration to Cloud Repository | High | Use of Rclone or custom utilities to push files to dark web staging servers. |
Impact | T1490 | Inhibit System Recovery | Low | Historically used ransomware payloads, but notably absent in this extortion-only campaign. |
What this incident does not mean
There is no evidence thus far for
· reactor safety systems were compromised.
· manipulation of nuclear processes.
· malware inside OT.
· safety instrumented systems being affected.
· radiation risk.
Critical infrastructure risk analysis
The exfiltration of design files introduces long-term, systemic risks that persist even if all IT networks are successfully remediated:
Physical and cyber attack planning
By analyzing ventilation and physical floor plans, a hostile actor can identify physical entry/exit vectors, blind spots in CCTV coverage, and exact locations of emergency backup generators.
Supply-chain poisoning
As mentioned earlier, exposure of supplier directories and specific component models allows nation-state actors to trace the supply chain. They can compromise a low-tier supplier to inject counterfeit or backdoor-laden hardware/firmware into the plant during the construction phase of Units 3 and 4.
Target profile construction
Exposed meeting documents and inspection reports identify key engineers, security officers, and decision-makers. This information provides the groundwork for highly targeted spear-phishing and social engineering attacks.
How and when this data could be weaponized is a matter of speculation.
Unique and under-discussed findings
Contractors as the soft underbelly of critical infrastructure
Securing a nuclear facility's administrative IT perimeter requires immense investment, resulting in highly fortified systems. Consequently, attackers have pivoted to targeting third-party contractors (engineering firms, construction companies) whose cyber defenses are often significantly weaker, yet who hold identical physical and architectural data.
The high value of "passive" engineering documentation
Unlike active IT databases, engineering blueprints do not change once a facility is built. While an IT password can be changed in 5 minutes, a ventilation system or concrete wall layout cannot be easily altered. Thus, a breach of design documentation has an operational shelf-life of 40 to 60 years (the lifespan of the nuclear plant), providing adversaries with an open-ended strategic advantage.
Construction-phase documentation exposes future operational risks
Because Units 3 and 4 are still under construction, the leaked files reveal the systems before they are fully active. This gives adversaries years to study the schematics, identify design flaws, build digital twins, and develop customized payloads before the reactors even generate their first megawatt of power.
Why Leaks are more damaging than ransomware in nuclear environments
A ransomware attack that encrypts administrative computers causes operational disruption but can be recovered from via backups. A data leak, however, is permanent. Once design plans are in the public domain, they can never be retracted, permanently compromising the physical and logical security posture of the facility.
Intelligence gaps
To maintain strict analytical integrity, the following elements are classified as unknown due to a lack of verified, publicly available forensic data:
Initial access vector: It is unconfirmed whether access to the Yotta hosted server was achieved via compromised credentials, a software vulnerability, or an insider threat.
Persistence mechanisms: The specific registry modifications or scheduled tasks utilized by the actors to maintain access prior to detection remain undisclosed.
Lateral movement: It is unknown whether the threat actors successfully pivoted from the compromised Yotta hosting environment into other Reliance corporate networks.
Data exfiltration method: The exact protocol (e.g., HTTPS, SFTP) and specific exfiltration utilities used to siphon the 858,000 files have not been forensically verified.
Indicators of Compromise (IOCs)
No verified, incident-specific IOCs (such as exact malicious file hashes or active C2 IPs) have been publicly released by Yotta, Reliance Group, or CERT-In. However, the following behavioral and generic World Leaks / Hunters International IOCs should be monitored:
Known threat group file signatures
SharpRhino RAT Hash (SHA256): 9f8e7d... (Monitor for NSIS installers executing non-standard network calls).
Exfiltration Tooling: Unauthorized execution of rclone.exe or winscp.exe towards public cloud providers.
Network Indicators
Connections to known Hunters International / World Leaks dark web staging portals.
Sector-specific lessons
Nuclear operators
Enforce Zero-Trust Design Access: Treat all contractor-facing design data as highly restricted. Mandate that engineering files are accessed only via secure, monitored virtual desktop infrastructures (VDIs) that restrict downloading or copying files to external drives.
Utilities and power grid
Segment Administrative vs. Operational Repositories: Never allow engineering schematics or grid layouts to sit on standard administrative networks or unmonitored third-party cloud shares.
Government agencies and CERTs
Establish mandatory contractor audits: Implement strict cyber-hygiene baselines and regular security audits for any private contractor handling critical national infrastructure projects.
Engineering contractors
Mandate Strict Access Control: Implement multi-factor authentication (MFA) across all endpoints, especially VPNs and remote access gateways. Restrict folder-level access to sensitive project schematics to only those employees actively assigned to the project.
Detection opportunities
SIEM and Log Analysis
Windows Event ID 4624: Monitor for successful logons to remote services (Type 10) originating from non-standard ISP blocks or outside expected business hours.
Sysmon Event ID 1 (Process Creation): Detect execution of command-line tools like rclone with parameters containing external cloud storage addresses (e.g., Mega, Dropbox, OneDrive).
Endpoint Detection and Response (EDR)
Configure EDR rules to flag or block any execution of administrative utilities (like PowerShell or Command Prompt) spawned by web servers or database processes.
Monitor for the creation of unexpected .exe files inside user temp directories (%TEMP% or %APPDATA%), which is typical of NSIS-packaged RATs.
Network and OT monitoring
Data exfiltration spikes: Alert on sudden, high-volume outbound data transfers from engineering workstations or document management systems to external IPs.
OT network isolation: Conduct regular automated audits of the air-gap separating administrative IT networks from industrial control system (ICS) networks to ensure no dual-homed devices are introduced.
Strategic recommendations
To mitigate the immediate and systemic risks posed by this compromise, organizations should execute the following tiered roadmap:
Immediate Containment (0–48 Hours):Emergency Mitigation.
Audit all third-party access connections. Terminate all active VPN and remote-desktop sessions originating from Reliance Group and associated subcontractors until their endpoints are verified clean. Force password resets for all shared credentials.
Short-Term Remediation (1–4 Weeks):Impact Analysis & Engineering Scans.
Conform an active, forensic cross-match of the 19,000 leaked files to identify the exact systems exposed. Conduct a targeted vulnerability scan of all third-party software and equipment listed in the leaked procurement files to prevent targeted exploitation.
Medium-Term Hardening (1–3 Months):Architectural Defenses.
Redesign or modify sensitive secondary infrastructure where feasible (e.g., altering backup power physical routing or access control protocols) to render the leaked blueprints obsolete. Implement strict Multi-Factor Authentication (MFA) across all contractor portal endpoints.
Long-Term Strategy (3+ Months):Supply-Chain Lifecycle Management.
Incorporate digital rights management (DRM) on all sensitive engineering drawings to track and control who can view, print, or edit them. Establish a continuous threat exposure management (CTEM) framework to regularly audit the cybersecurity posture of all third-party critical infrastructure suppliers.
Confidence assessment
The key assessments in this report are categorized below using CISA/ODNI standards for analytic confidence:
Finding / Assessment | Confidence Rating | Justification |
Active OT network compromise at KKNPP | Not observed | Reactor control networks are air-gapped and historically separate from contractor networks. |
World Leaks is a rebrand of Hunters International | High | Shared infrastructure, nearly identical leak site code, exfiltration utilities, and timing of rebranding support this link. |
The leak contains valid engineering blueprints of KKNPP Units 3 & 4 | Medium | Confirmed by Reliance Group as a "partial breach"; Reuters analysts confirmed authenticity of documentation dated up to 2025. |
Exposed data will increase the risk of targeted cyber-reconnaissance | High | Architectural layouts and vendor names provide adversaries with the baseline data needed to engineer highly targeted social engineering and supply-chain attacks. |
Recomended reading
Deep dive: Tata Electronics cyber incident
Preparing European critical infrastructure for the next phase of Russian cyber operations
Nihon Kotsu cyber incident: Analysis and investigative report
Securing critical infrastructure operations during geo-political events and beyond
Get Weekly
Resources & News
See How Our Industry-Leading OT Security Solutions Address Critical Security Challenges
You may also like

Key Components of a Cyber Physical System Explained

Team Shieldworkz

Preparing European critical infrastructure for the next phase of Russian cyber operations

Prayukth K V

Nihon Kotsu cyber incident: Analysis and investigative report

Prayukth K V

Understanding the operational and cybersecurity risks of AI integration in Industrial Control Systems

Prayukth K V

OT Network Detection and Response for Industrial Security

Team Shieldworkz

NIS2 Requirements for Critical Infrastructure

Team Shieldworkz

