site-logo
site-logo
site-logo

Preliminary Investigation Report: Data Extortion targeting Kudankulam Nuclear Plant engineering documents

Preliminary Investigation Report: Data Extortion targeting Kudankulam Nuclear Plant engineering documents

Preliminary Investigation Report: Data Extortion targeting Kudankulam Nuclear Plant engineering documents

kudankulam Nuclear Power Plant  Cyberattack
author

Prayukth K V

Subject: Ransomware-Based Data Leak of Kudankulam Nuclear Power Plant Construction & Engineering Files

Target Entity: Reliance Group (Contractor) / Kudankulam Nuclear Power Plant (KKNPP) Units 3 and 4

Threat Actor: World Leaks (Rebranded from Hunters International)

Date of Issue: July 15, 2026

In July 2026, the data-extortion group World Leaks published a massive cache of stolen documents on the dark web. The actors claimed the files were exfiltrated from the Indian conglomerate Reliance Group, a key engineering contractor for the Kudankulam Nuclear Power Plant (KKNPP) in Tamil Nadu, India.

The Kudankulam Nuclear Power Plant (KKNPP) is India's largest nuclear power station, located in the Tirunelveli district of Tamil Nadu. Built in collaboration with Russia. The plant is central to India's clean energy goals and features six Russian-designed VVER-1000 reactors aimed at producing a total of 6,000 MW of electricity. 

Of the approximately 858,000 total files leaked from Reliance Group, over 19,000 files are explicitly related to the Kudankulam nuclear project.  Reliance Group has confirmed that a "partial breach" occurred on a server hosted by third-party data center provider Yotta.

Why this incident matters

Critical infrastructure operators often rely on layered physical security, access controls, operational segregation, and protection of sensitive engineering information. While there is no evidence indicating that operational, active reactor control networks (Operational Technology, or OT) were directly breached, the exposure of high-fidelity engineering blueprints, ventilation layouts, and plant floor designs provides hostile nation-states and sophisticated threat actors with the precise physical and logical maps needed to plan future kinetic or cyber operations.

Breach of the supplier list is a worrying factor. Threat actors and even adversarial nations with geo-political interests can use this information to plan a coordinated supply chain infiltration exercise while gaining sufficient knowledge to figure out critical operational details. Exposure of supplier profiles can put future nuclear plants at risk from supply chain infiltration attempts as well. 

Initial impact assessment

  • OT systems impact: None. Reactor control systems and active operations remain isolated and uncompromised.

  • Data compromised: Over 19,000 files including technical blueprints, floor layouts of a common control room, ventilation and cooling designs, inspection reports, supplier lists, and insurance policies.

  • Affected plant components: Primarily Units 3 and 4 of KKNPP, which are currently under construction and scheduled to become operational by 2027.

  • Financial and operational impact: High reputational damage to the contractor ecosystem, potential delays in the commissioning of Units 3 & 4 due to security re-evaluations, and increased supply-chain vulnerability.

Strategic importance for critical infrastructure

This breach marks a critical shift in how adversaries target highly secured environments. Rather than attempting a direct intrusion into heavily fortified nuclear administrative networks, threat actors chose the path of least resistance: the third-party contractor and cloud data center supply chain. This is why the reconnaissance attacks on critical infrastructure supply chain entities upstream and downstream are growing. Threat actors are probing such infrastructure and facilities to identify entry points.   

This incident proves that a critical facility's perimeter is only as strong as its least-secure contractor's digital repository.

Incident overview


 

Discovery

On May 29, Indian data center provider Yotta detected suspicious activity on a hosted server utilized by Reliance Group. While Yotta reported that the immediate execution of a ransomware payload was successfully prevented, it was later discovered that data exfiltration had already been executed silently prior to the containment of the attack.

Public disclosure

On July 15, 2026, international news agencies (led by Reuters) reported that World Leaks had published the exfiltrated files on its dark web data leak site (DLS). Reliance Group subsequently issued a public statement confirming a "partial breach" of a hosted server, acknowledging that they had notified government authorities, including the Indian Computer Emergency Response Team (CERT-In).

Current investigation status

The investigation is actively being conducted by CERT-In in coordination with the Nuclear Power Corporation of India Limited (NPCIL). The investigation is focusing on:

· identifying the impacted zones and any residual payloads that may still be lurking in any of the networks connected with these zones

· absolute authenticity of the exposed files

· failure of controls that led to the incident  

· evaluating the systemic supply-chain impact,

· implementing defensive countermeasures to secure the physical and digital perimeters of KKNPP Units 3 & 4.

· checking if the threat actor has retained any information beyond what was released

Technical analysis

Nature of the exposed data

The 19,000+ leaked files primarily consist of technical design and construction documentation dated between 2016 and mid-2025. These materials correspond directly to the development of Units 3 and 4. Notably, the leaked files do not contain designs for the primary reactor cores. These are supplied and managed by Russia’s state-owned atomic energy corporation, Rosatom.

Systems impacted

The compromise was strictly isolated to a third-party, offsite enterprise IT cloud environment.

  • Primary victim: Yotta Data Center (Specifically hosting infrastructure leased by Reliance Group/Reliance Infrastructure).

  • Operational Technology (OT) status: There is zero evidence or technical indication of lateral movement into the physical OT network or the Distributed Control Systems (DCS) of KKNPP. The reactor control systems operate on air-gapped networks completely separate from third-party contractor systems.

Categorization of attack

This incident is classified as a third-party supply-chain compromise leveraging single-extortion (data theft and public exposure) tactics. While the threat actor originates from a ransomware background, they bypassed payload encryption in this campaign, focusing entirely on exfiltration and leverage-based extortion.

Relationship: Contractor to nuclear facility

Reliance Infrastructure was awarded a contract in 2018 to design, engineer, and build essential Balance of Plant (BOP) infrastructure for Units 3 and 4. Because BOP systems encompass critical supporting utilities such as secondary cooling loops, backup power generators, and ventilation, the contractor possessed highly detailed physical and engineering schematics of the plant's structural layout.

Threat actor analysis

Profile: World Leaks

The attack has been claimed by World Leaks, an active data extortion collective.

Attribution confidence: High

Threat intelligence analysts track World Leaks as a direct rebrand of Hunters International, a Russian-speaking Ransomware-as-a-Service (RaaS) group that emerged in late 2023. Hunters International was widely believed to have inherited code and infrastructure from the defunct Hive ransomware gang. Following claims of a shutdown in late 2024 due to law enforcement pressure, the group transitioned to an extortion-only model under the "World Leaks" moniker in January 2025.

Known TTPs

  • Initial Access: Primarily opportunistic. Exploits known vulnerabilities in public-facing appliances (such as VPNs, firewalls) or leverages compromised, valid credentials where Multi-Factor Authentication (MFA) is absent or misconfigured.

  • Tooling: Utilizes a custom-built, automated file exfiltration tool (derived from Hunters' "Storage Software" utility) to quickly locate and exfiltrate high-value target files.

  • Evasion: Disguises malicious payloads (such as their signature SharpRhino RAT) within legitimate Nullsoft Scriptable Installers (NSIS) to bypass standard Endpoint Detection and Response (EDR) signatures.

  • Exfiltration: Frequently leverages tools like Rclone and WinSCP to exfiltrate gigabytes of data to actor-controlled cloud storage before issuing extortion demands.

Historical campaigns

World Leaks/Hunters International has targeted major international entities across healthcare, manufacturing, and critical technology. Notably, in June 2026, the group compromised Apple supplier Tata Electronics, leaking 630 GB of schematics and supply chain agreements.

This threat actor has developed a strong interest in Indian conglomerates and networks connected with critical infrastructure here. While the threat actor has released the exfiltrated information, it is possible that it may have information that it may sell to state actors that may misuse this very information.      

Nature of the exposed information

The exposed cache contains document categories that, while not classified as "weapons-grade state secrets," provide immense reconnaissance value to adversaries:

  • Engineering blueprints: Specifically detailing ventilation systems, secondary cooling piping, and structural designs for Units 3 & 4.

  • Physical layouts: Floor plans of the common control room and physical security access points.

  • Vendor ecosystem data: Master lists of suppliers, equipment review logs, and procurement records.

  • Administrative records: Insurance policies, inspection reviews, and internal meeting minutes.

The danger of "non-sensitive" data aggregation

Individually, an insurance policy or a ventilation schematic may seem harmless. However, when compiled, they facilitate Architectural Intelligence (ARCINT) gathering:

The Mosaic Effect: An adversary can overlay ventilation blueprints with control room layouts and vendor lists. This allows them to identify physical vulnerabilities (e.g., where physical security is weak), locate single-point-of-failure equipment, determine which third-party hardware contains exploitable vulnerabilities, and target specific engineers with hyper-realistic spear-phishing campaigns.

MITRE ATT&CK Mapping

The following techniques are mapped based on World Leaks’ established TTPs and the observed technical characteristics of the KKNPP contractor breach:

Tactic

Technique ID

Technique Name

Confidence

Operational Context

Initial Access

T1133

External Remote Services

High

Exploitation of VPNs or RDP servers lacking robust MFA.


T1190

Exploit Public-Facing Application

Medium

Opportunistic exploitation of known edge vulnerabilities.

Execution

T1204.002

User Execution: Malicious File

Medium

Phishing campaigns dropping SharpRhino RAT inside fake installers.

Defense Evasion

T1027

Obfuscated Files or Information

High

Packaging payloads within NSIS installers to bypass EDR.

Discovery

T1083

File and Directory Discovery

High

Automated scanning scripts to target engineering and design documents.

Exfiltration

T1567.002

Exfiltration to Cloud Repository

High

Use of Rclone or custom utilities to push files to dark web staging servers.

Impact

T1490

Inhibit System Recovery

Low

Historically used ransomware payloads, but notably absent in this extortion-only campaign.

 

What this incident does not mean

There is no evidence thus far for

·       reactor safety systems were compromised.

·       manipulation of nuclear processes.

·       malware inside OT.

·       safety instrumented systems being affected.

·       radiation risk.

Critical infrastructure risk analysis

The exfiltration of design files introduces long-term, systemic risks that persist even if all IT networks are successfully remediated:

Physical and cyber attack planning

By analyzing ventilation and physical floor plans, a hostile actor can identify physical entry/exit vectors, blind spots in CCTV coverage, and exact locations of emergency backup generators.

Supply-chain poisoning

As mentioned earlier, exposure of supplier directories and specific component models allows nation-state actors to trace the supply chain. They can compromise a low-tier supplier to inject counterfeit or backdoor-laden hardware/firmware into the plant during the construction phase of Units 3 and 4.

Target profile construction

Exposed meeting documents and inspection reports identify key engineers, security officers, and decision-makers. This information provides the groundwork for highly targeted spear-phishing and social engineering attacks.

How and when this data could be weaponized is a matter of speculation.

Unique and under-discussed findings

Contractors as the soft underbelly of critical infrastructure

Securing a nuclear facility's administrative IT perimeter requires immense investment, resulting in highly fortified systems. Consequently, attackers have pivoted to targeting third-party contractors (engineering firms, construction companies) whose cyber defenses are often significantly weaker, yet who hold identical physical and architectural data.

The high value of "passive" engineering documentation

Unlike active IT databases, engineering blueprints do not change once a facility is built. While an IT password can be changed in 5 minutes, a ventilation system or concrete wall layout cannot be easily altered. Thus, a breach of design documentation has an operational shelf-life of 40 to 60 years (the lifespan of the nuclear plant), providing adversaries with an open-ended strategic advantage.

Construction-phase documentation exposes future operational risks

Because Units 3 and 4 are still under construction, the leaked files reveal the systems before they are fully active. This gives adversaries years to study the schematics, identify design flaws, build digital twins, and develop customized payloads before the reactors even generate their first megawatt of power.

Why Leaks are more damaging than ransomware in nuclear environments

A ransomware attack that encrypts administrative computers causes operational disruption but can be recovered from via backups. A data leak, however, is permanent. Once design plans are in the public domain, they can never be retracted, permanently compromising the physical and logical security posture of the facility.

Intelligence gaps

To maintain strict analytical integrity, the following elements are classified as unknown due to a lack of verified, publicly available forensic data:

  • Initial access vector: It is unconfirmed whether access to the Yotta hosted server was achieved via compromised credentials, a software vulnerability, or an insider threat.

  • Persistence mechanisms: The specific registry modifications or scheduled tasks utilized by the actors to maintain access prior to detection remain undisclosed.

  • Lateral movement: It is unknown whether the threat actors successfully pivoted from the compromised Yotta hosting environment into other Reliance corporate networks.

  • Data exfiltration method: The exact protocol (e.g., HTTPS, SFTP) and specific exfiltration utilities used to siphon the 858,000 files have not been forensically verified.

Indicators of Compromise (IOCs)

No verified, incident-specific IOCs (such as exact malicious file hashes or active C2 IPs) have been publicly released by Yotta, Reliance Group, or CERT-In. However, the following behavioral and generic World Leaks / Hunters International IOCs should be monitored:

Known threat group file signatures

  • SharpRhino RAT Hash (SHA256): 9f8e7d... (Monitor for NSIS installers executing non-standard network calls).

  • Exfiltration Tooling: Unauthorized execution of rclone.exe or winscp.exe towards public cloud providers.

Network Indicators

  • Connections to known Hunters International / World Leaks dark web staging portals.

Sector-specific lessons

Nuclear operators

  • Enforce Zero-Trust Design Access: Treat all contractor-facing design data as highly restricted. Mandate that engineering files are accessed only via secure, monitored virtual desktop infrastructures (VDIs) that restrict downloading or copying files to external drives.

Utilities and power grid

  • Segment Administrative vs. Operational Repositories: Never allow engineering schematics or grid layouts to sit on standard administrative networks or unmonitored third-party cloud shares.

Government agencies and CERTs

  • Establish mandatory contractor audits: Implement strict cyber-hygiene baselines and regular security audits for any private contractor handling critical national infrastructure projects.

Engineering contractors

  • Mandate Strict Access Control: Implement multi-factor authentication (MFA) across all endpoints, especially VPNs and remote access gateways. Restrict folder-level access to sensitive project schematics to only those employees actively assigned to the project.

Detection opportunities

SIEM and Log Analysis

  • Windows Event ID 4624: Monitor for successful logons to remote services (Type 10) originating from non-standard ISP blocks or outside expected business hours.

  • Sysmon Event ID 1 (Process Creation): Detect execution of command-line tools like rclone with parameters containing external cloud storage addresses (e.g., Mega, Dropbox, OneDrive).

Endpoint Detection and Response (EDR)

  • Configure EDR rules to flag or block any execution of administrative utilities (like PowerShell or Command Prompt) spawned by web servers or database processes.

  • Monitor for the creation of unexpected .exe files inside user temp directories (%TEMP% or %APPDATA%), which is typical of NSIS-packaged RATs.

Network and OT monitoring

  • Data exfiltration spikes: Alert on sudden, high-volume outbound data transfers from engineering workstations or document management systems to external IPs.

  • OT network isolation: Conduct regular automated audits of the air-gap separating administrative IT networks from industrial control system (ICS) networks to ensure no dual-homed devices are introduced.

Strategic recommendations

To mitigate the immediate and systemic risks posed by this compromise, organizations should execute the following tiered roadmap:

Immediate Containment (0–48 Hours):Emergency Mitigation.

Audit all third-party access connections. Terminate all active VPN and remote-desktop sessions originating from Reliance Group and associated subcontractors until their endpoints are verified clean. Force password resets for all shared credentials.

Short-Term Remediation (1–4 Weeks):Impact Analysis & Engineering Scans.

Conform an active, forensic cross-match of the 19,000 leaked files to identify the exact systems exposed. Conduct a targeted vulnerability scan of all third-party software and equipment listed in the leaked procurement files to prevent targeted exploitation.

Medium-Term Hardening (1–3 Months):Architectural Defenses.

Redesign or modify sensitive secondary infrastructure where feasible (e.g., altering backup power physical routing or access control protocols) to render the leaked blueprints obsolete. Implement strict Multi-Factor Authentication (MFA) across all contractor portal endpoints.

Long-Term Strategy (3+ Months):Supply-Chain Lifecycle Management.

Incorporate digital rights management (DRM) on all sensitive engineering drawings to track and control who can view, print, or edit them. Establish a continuous threat exposure management (CTEM) framework to regularly audit the cybersecurity posture of all third-party critical infrastructure suppliers.

Confidence assessment

The key assessments in this report are categorized below using CISA/ODNI standards for analytic confidence:

Finding / Assessment

Confidence Rating

Justification

Active OT network compromise at KKNPP

Not observed   

Reactor control networks are air-gapped and historically separate from contractor networks.

World Leaks is a rebrand of Hunters International

High

Shared infrastructure, nearly identical leak site code, exfiltration utilities, and timing of rebranding support this link.

The leak contains valid engineering blueprints of KKNPP Units 3 & 4

Medium

Confirmed by Reliance Group as a "partial breach"; Reuters analysts confirmed authenticity of documentation dated up to 2025.

Exposed data will increase the risk of targeted cyber-reconnaissance

High

Architectural layouts and vendor names provide adversaries with the baseline data needed to engineer highly targeted social engineering and supply-chain attacks.

 
Recomended reading

Deep dive: Tata Electronics cyber incident

What Bajaj Auto and Tata Electronics cyber incidents reveal about manufacturing espionage and extortion

Preparing European critical infrastructure for the next phase of Russian cyber operations

Nihon Kotsu cyber incident: Analysis and investigative report

Securing critical infrastructure operations during geo-political events and beyond



Get Weekly

Resources & News

See How Our Industry-Leading OT Security Solutions Address Critical Security Challenges

You may also like

BG image

Get Started Now

Scale your CPS security posture

Get in touch with our CPS security experts for a free consultation.

BG image

Get Started Now

Scale your CPS security posture

Get in touch with our CPS security experts for a free consultation.

BG image

Get Started Now

Scale your CPS security posture

Get in touch with our CPS security experts for a free consultation.