Ransomware Group Leaks 19,000 Files From India's Largest Nuclear Plant Contractor
Ransomware group World Leaks has published roughly 19,000 files linked to India's largest nuclear power plant, including purported blueprints and supplier records from a key contractor, in the second cyber incident tied to the facility since 2019.

Nuclear power plant control room representing a critical infrastructure data breach
A ransomware group has published nearly 19,000 files connected to the Kudankulam Nuclear Power Plant, the largest of India's seven nuclear facilities, in a breach that a leading nuclear security expert has called a serious risk to plant safety.
What was exposed
Reliance Infrastructure, part of Anil Ambani's Reliance Group and a contractor that won a 2018 deal to design and build infrastructure for the plant's Units 3 and 4, confirmed a partial breach of its data hosted on a server operated by third party provider Yotta. Yotta says it detected suspicious activity on 29 May, halted a suspected ransomware execution at the time, and only learned in late June that external attackers were claiming to have stolen data regardless.
The ransomware group World Leaks, previously linked to attacks on Nike and India's Tata Group, has since posted around 19,000 files totalling 14.3 gigabytes matching the search term KKNP, the plant's acronym, as part of a larger leak of 858,000 Reliance files. The documents, dated between 2016 and mid 2025, reportedly include partial blueprints, meeting and inspection records, equipment reviews, supplier details, and insurance policies. Reactor core systems, supplied separately by Russia's state-owned Rosatom, do not appear to be represented in the leaked material.
Why this matters beyond one contractor
Nickolas Roth, senior director at the Nuclear Threat Initiative, said the breach could pose a serious risk to plant safety, since documents of this kind could show an adversary not just who has access to a nuclear project but which systems that access reaches. This is also not the first cyber incident tied to Kudankulam specifically. In 2019, malware associated with a North Korean hacking group was found on the plant's administrative network, though operators said at the time that core systems were unaffected.
A pattern GCC operators should watch closely
This breach fits directly into the operational technology exposure we detailed in our OT and ICS security research for the GCC, where contractor and supply chain access, not the core reactor systems themselves, is consistently the weakest point in critical infrastructure security. As nuclear power moves onto the regional agenda, including ambitions in Saudi Arabia and existing operational capacity in the UAE, contractor and third party data governance deserves the same scrutiny as the physical facility itself. Our recent coverage of how AI is reshaping cyber risk for GCC energy operators makes a related point directly: the pressure to patch and secure critical infrastructure environments is intensifying faster than most organisational readiness is improving.
The broader Indian breach landscape
India ranks third globally for data breaches, with 28.9 million accounts compromised last year according to cybersecurity company Surfshark. A separate report from the Data Security Council of India and Seqrite found that 73% of surveyed Indian organisations did not know whether they had ever been attacked, and 57% lacked basic cyber hygiene practices. Regional operators evaluating suppliers and contractors with Indian operations should treat that context as directly relevant due diligence, not background colour.
What to do
For any organisation managing contractor and third party access to critical infrastructure, this incident is a reminder that data governance obligations extend well past the primary operator's own network boundary. Reviewing what design documentation, inspection records, and access details contractors hold, and under what security posture, is a practical first step, alongside the kind of structured incident response planning we covered in our guide to the first 72 hours of a breach in the GCC. India's Computer Emergency Response Team, CERT-In, is investigating the incident alongside the Nuclear Power Corporation of India.
Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA RegionOmar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.