Files Related to India's Largest Nuclear Plant Exposed in Data Breach
- CVE ID
- N/A
- CVSS Score
- N/A
- Affected Products
- Kudankulam Nuclear Power Plant, Reliance Group, Yotta Data Center
Overview
The World Leaks ransomware group, previously known as Hunters International, has claimed responsibility for a significant data breach impacting India’s Kudankulam Nuclear Power Plant. The group published a large cache of files on the dark web, which they allege contain sensitive information related to the plant. The exposed data reportedly includes blueprints of plant facilities, details on suppliers, inspection records, and insurance documents for Units 3 and 4, which are currently under construction. This information, dated from 2016 to mid-2025, was drawn from a broader cache of over 858,000 files stolen from Reliance Group, a contractor for the plant, via a server managed by third-party data-centre provider Yotta. Reliance Group has acknowledged a “partial breach” of its data on a server hosted by Yotta and has informed the government.
Technical Details
The attack vector used to compromise the Reliance Group’s data, ultimately leading to the exposure of files related to the Kudankulam Nuclear Power Plant, has not been fully disclosed. However, the World Leaks group, like its predecessor Hunters International, typically employs a mix of tactics including exploiting known vulnerabilities in cloud and corporate infrastructure, reusing stolen credentials from infostealers and phishing campaigns, and at times resorting to brute force or misconfiguration-based access to gain initial footholds. Once inside the targeted network, the primary objective is usually data exfiltration, focusing on employee records, databases, backups, and sensitive documents for later sale or public leak to substantiate their claims. The 858,000 files stolen from Reliance Group, hosted on a Yotta data center server, indicate a substantial compromise of network perimeter or internal systems. While the specific methods for this incident are under investigation, the pattern of compromise often involves a blend of social engineering and technical exploitation. The reported exfiltration of a vast quantity of data suggests a prolonged presence within the compromised network or highly effective data extraction tools.
Real-World Impact
The exposure of files related to a critical national infrastructure asset like the Kudankulam Nuclear Power Plant carries severe implications. While reactor core systems supplied by Rosatom do not appear to be included in the leak, the presence of blueprints, supplier details, inspection records, and insurance documents could provide valuable intelligence to hostile state-sponsored actors, industrial competitors, or terrorist groups. Such information could be leveraged for future targeted attacks, sabotage attempts, or to identify supply chain vulnerabilities. For Reliance Group, the breach represents a significant reputational and financial blow, alongside potential contractual repercussions with government entities. The incident also highlights the systemic risk posed by third-party vendor compromises, where a weakness in one entity’s security posture can directly impact the security of a critical partner. The disruption extends beyond just data exposure, potentially forcing a reassessment of security protocols and vendor relationships for such sensitive operations.
Threat Landscape
The World Leaks group operates within a highly active and aggressive ransomware and extortion landscape. Their tactic of exfiltrating data and then threatening to publish it (or publishing it) to pressure victims into paying a ransom is a common, effective strategy employed by many sophisticated cybercriminal organizations. The targeting of critical infrastructure, even through a contractor, underscores the expanding scope of these groups beyond purely financial gain, extending to disruption and geopolitical leverage. The reliance on tactics such as exploiting vulnerabilities, phishing, and stolen credentials for initial access is consistent with observed trends, where human factors and unpatched systems remain primary entry points. The group’s history of substantiating claims with verifiable technical artifacts indicates a credible and persistent threat actor. This incident serves as a stark reminder that all entities within the supply chain of critical infrastructure, regardless of their direct operational role, are potential targets and must maintain robust cybersecurity defenses.
Remediation
For organizations involved in critical infrastructure, remediation efforts must be comprehensive and swift. Reliance Group and Yotta must conduct a thorough forensic investigation to identify the root cause of the breach, the full extent of compromised data, and any lingering access points for the threat actor. All affected systems should be isolated, patched, and hardened. Enhanced monitoring for anomalous activity is crucial. For individuals or entities whose data was potentially exposed, vigilance against phishing attempts and identity theft is paramount. All contractual agreements with third-party vendors, especially those handling sensitive data for critical infrastructure, should be immediately reviewed to ensure stringent security requirements and audit clauses are in place. Implementing a robust Zero Trust architecture, strengthening multi-factor authentication (MFA) across all systems, and conducting regular security audits and penetration testing (especially for third-party integrations) are essential preventative measures to mitigate similar risks in the future. Furthermore, comprehensive employee cybersecurity training focused on recognizing phishing and social engineering tactics is vital to prevent initial compromise via credential theft.
Related content
Found something similar in your stack?
Let's find out before it becomes an incident.
Book an advisory call