A significant data leak involving documents related to India's Kudankulam Nuclear Power Plant (KKNPP), a collaboration with Russia's Rosatom and a key part of India's energy security, has exposed vulnerabilities in its digital periphery. The breach, originating from an infrastructure contractor, Reliance Infrastructure, and hosted by Yotta data services, saw 14.3 GB of sensitive data, including engineering blueprints for cooling and ventilation systems, control room layouts, and internal meeting minutes, published on the dark web by the sophisticated ransomware group Worldleaks. While the Nuclear Power Corporation of India Limited (NPCIL) dismissed the leaked information as conventional "balance of plant" data, experts argue that such details could facilitate lateral movement and upstream attacks, potentially bypassing air-gapped safety systems and enabling physical sabotage. This incident highlights the risks associated with outsourcing critical infrastructure development to private entities using commercial cloud services rather than sovereign, hardened environments, underscoring the obsolescence of the "air-gap" defense against supply chain compromises and necessitating a shift towards comprehensive supply-chain resilience and oversight.

A significant data leak involving documents related to India's Kudankulam Nuclear Power Plant (KKNPP), a collaboration with Russia's Rosatom and a key part of India's energy security, has exposed vulnerabilities in its digital periphery. The breach, originating from an infrastructure contractor, Reliance Infrastructure, and hosted by Yotta data services, saw 14.3 GB of sensitive data, including engineering blueprints for cooling and ventilation systems, control room layouts, and internal meeting minutes, published on the dark web by the sophisticated ransomware group Worldleaks. While the Nuclear Power Corporation of India Limited (NPCIL) dismissed the leaked information as conventional "balance of plant" data, experts argue that such details could facilitate lateral movement and upstream attacks, potentially bypassing air-gapped safety systems and enabling physical sabotage. This incident highlights the risks associated with outsourcing critical infrastructure development to private entities using commercial cloud services rather than sovereign, hardened environments, underscoring the obsolescence of the "air-gap" defense against supply chain compromises and necessitating a shift towards comprehensive supply-chain resilience and oversight.

A significant data leak involving documents related to India's Kudankulam Nuclear Power Plant (KKNPP), a collaboration with Russia's Rosatom and a key part of India's energy security, has exposed vulnerabilities in its digital periphery. The breach, originating from an infrastructure contractor, Reliance Infrastructure, and hosted by Yotta data services, saw 14.3 GB of sensitive data, including engineering blueprints for cooling and ventilation systems, control room layouts, and internal meeting minutes, published on the dark web by the sophisticated ransomware group Worldleaks. While the Nuclear Power Corporation of India Limited (NPCIL) dismissed the leaked information as conventional "balance of plant" data, experts argue that such details could facilitate lateral movement and upstream attacks, potentially bypassing air-gapped safety systems and enabling physical sabotage. This incident highlights the risks associated with outsourcing critical infrastructure development to private entities using commercial cloud services rather than sovereign, hardened environments, underscoring the obsolescence of the "air-gap" defense against supply chain compromises and necessitating a shift towards comprehensive supply-chain resilience and oversight.

The Kudankulam Nuclear Power Plant (KKNPP) in Tamil Nadu is the crown jewel of India’s strategic energy sector. As the nation’s largest nuclear facility, KKNPP is the face of India’s long-term energy security and a centrepiece of the Indo-Russian strategic partnership, with reactor core systems supplied by Russia's state-owned Rosatom. However, the recent data leak, involving the exfiltration of a massive cache of documents belonging to an infrastructure contractor, has exposed a critical vulnerability in the digital periphery of India’s nuclear ecosystem. While the state maintains that the core safety systems remain isolated, this breach demonstrates that the air gap defence is a fallacious security posture when the secondary supply chain remains porous.

It all began on May 29 when Yotta data services detected suspicious activity on a server hosting Reliance Infrastructure data. Yotta claimed to have “prevented" the execution. On June 11,  the World leaks began publishing 14.3 GB of data on the Dark web, proving exfiltration occurred despite Yotta’s supposed prevention measures. Subsequently, by the end of June, Reliance Infrastructure informed Yotta and the government after external actors claimed possession of stolen data. However, Nuclear Power Corporation of India Limited (NPCIL) had rejected the claims of sensitive compromise, characterising leaked data as conventional “balance of plant” information.

Worldleaks is a sophisticated ransomware collective with a history of targeting high-value corporate targets such as Nike and the Tata Group. Their methodology follows a double extortion model—exfiltrating data, demanding high-value ransoms (historically up to $1.5 million), and using public leak sites to weaponise information when demands are ignored. In this instance, the action had actually shifted from corporate extortion to the exposure of strategic infrastructure, signalling a transition from financial crime to potential state-level destabilisation. The discovery of this cache has shifted focus from the facility’s physical gates to the technical pathways used to circumvent its security perimeter.

However, the architecture of the data breach reveals that the technical failure of the exfiltration of data followed a multi-layered path of failure that questions the internal auditing of India’s private data centres. At the first instance, the data was exfiltrated from Reliance Infrastructure, a subsidiary of the Reliance Group and the EPC contractor for the common infrastructure of Units 3 and 4. And then the data resided on servers managed by Yotta. Despite Yotta’s claim that they “terminated” the activity on May 29, the June 11 publication proved that the exfiltration had already been completed or that the termination was ineffective. The gap between Yotta’s “prevention” narrative and the reality of the dark web publication suggests a profound lack of real-time forensic visibility into contractor data flows.

According to experts in the field of nuclear energy, this data breach is a direct consequence of the shift toward private participation in nuclear construction. Legislative amendments to the Atomic Energy Act were intended to accelerate development by integrating private giants like Reliance. However, this expansion of the attack surface was not met with a corresponding upgrade in security mandates. By outsourcing critical infrastructure development to private entities using commercial-grade cloud services, like Yotta, instead of sovereign, military-hardened environments, the state effectively traded security for administrative speed. This means that in modern cyber-warfare, the hardened core of a nuclear facility is rarely the point of entry. Instead, sophisticated actors target the soft underbelly of the supply chain, particularly the third-party contractors and vendors. These entities possess sensitive blueprints and operational data but often operate without the military-grade, air-gapped rigour of the primary operator. The Kudankulam incident, according to experts, is a landmark failure of supply chain oversight, where the compromise of a secondary service provider effectively bypassed the national security perimeter.

The leak comprises 19,000 files (14.3 GB)—the most sensitive subset of a larger 8,58,000 files in the Reliance cache. These documents, spanning nearly a decade (2016–2025), including engineering drawings and technical blueprints for cooling and ventilation systems, complete floor layouts of a common control room, internal minutes of meetings between Indian and Russian (Rosatom) engineers, vendor proposals and lists of approved suppliers for Units 3 and 4.

But the government’s dismissal of BoP documents as conventional ignores the reality of lateral movement risk. Blueprints for ventilation, cooling, and common control rooms allow an adversary to identify physical vulnerabilities that can be used to bypass digital air-gaps. By disrupting a “conventional cooling system,” an attacker, according to experts, can actually induce a core-level crisis without ever touching the reactor's software. Furthermore, identifying the specific suppliers allows for upstream attacks, where hardware or components could be compromised before they ever reach the plant site.

The leak reveals a $112 million terrorism insurance policy for Units 3 and 4. Beyond the financial figure, this revelation informs adversaries of the plant’s perceived risk profile and defensive priorities. It provides a concrete metric for the economic impact of potential sabotage, effectively aiding an adversary’s cost-benefit analysis for future aggression. The scale of this exposure has created a profound rift between the state’s reassurances and the warnings of independent observers.

"The reported information breach in the case of the Kudankulam nuclear plant is a serious matter in view of its strategic implications. NPCIL seems to have issued a clarification to the effect that it is not so serious. However, an independent investigation into the circumstances surrounding the leak, the role of the contractor, Reliance and the security safeguards necessary for all nuclear power plants is called for. India cannot afford to expand its nuclear power generation capacity on a large scale unless it puts in place foolproof security firewalls to prevent hacking,” E.A.S. Sarma, former secretary to the government of India, told The Week.

The Kudankulam incident has also highlighted a tension between the government’s need to project nuclear safety and the reality of infrastructure mapping. This tension is punctuated by a striking legal irony. In May 2026, the Delhi High Court (NPCIL vs. S.P. Uday Kumar) ruled that the plant’s safety analysis report (SAR) was exempt from public disclosure under the RTI Act to protect proprietary reactor design. While the government was legally shielding safety data from its own citizens, it failed to protect equivalent tactical data from ransomware actors.

What next

Experts suggest that the government has to eschew the startling pro-corporate bias. To secure India’s nuclear future, experts also suggest that India must move beyond the air-gap myth toward comprehensive supply-chain sovereignty, introduce sovereign mandates, reassess the $460 million liability gap and introduce mandatory real-time audits.

The Kudankulam breach is a clarion call that nuclear security is only as strong as its weakest contractor. The narrative that safety-critical systems are protected because they are not internet-facing is obsolete in an age where the blueprints of the plant’s life-support systems are available on the dark web. India must transition to a model of supply chain resilience, ensuring that the erosion of nuclear sovereignty through outsourcing is halted before a digital leak becomes a physical catastrophe.