Full Report
Ransomware group World Leaks has posted on the dark web a huge cache of files related to India’s largest nuclear plant, including purported blueprints of parts of its facilities and supplier details — information it labelled as coming from Reliance Group. The Kudankulam Nuclear Power Plant, located in the southern state of Tamil Nadu, is…
Analysis Summary
# Incident Report: World Leaks Ransomware Breach of Kudankulam Nuclear Power Plant Data
## Executive Summary
The World Leaks ransomware group exfiltrated and published a massive cache of sensitive data relating to the Kudankulam Nuclear Power Plant (KKNPP), India’s largest nuclear facility. The breach occurred via a third-party compromise of the Reliance Group, a major contractor for the plant, through their servers hosted by a managed service provider. The leaked information includes critical facility blueprints and supplier details, posing a significant national security risk.
## Incident Details
- **Discovery Date:** July 15, 2026 (Public disclosure/leak)
- **Incident Date:** July 15, 2026 (Reported)
- **Affected Organization:** Reliance Group (Contractor) / Kudankulam Nuclear Power Plant (KKNPP)
- **Sector:** Energy / Nuclear Critical Infrastructure
- **Geography:** Tamil Nadu, India
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed (Prior to July 15, 2026)
- **Vector:** Third-party/Supply Chain compromise.
- **Details:** Attackers gained access to a Reliance Group server hosted by the Indian data center service provider **Yotta**.
### Lateral Movement
- Details on internal movement within the Yotta/Reliance environment are not publicly disclosed; however, the group successfully accessed sensitive file repositories containing high-level nuclear facility data.
### Data Exfiltration/Impact
- **Leak Date:** July 15, 2026.
- **Details:** World Leaks posted a "huge cache" of files on the dark web. This included purported blueprints of nuclear facility parts and confidential supplier details.
### Detection & Response
- **Detection:** Discovered when the World Leaks group posted the data on their dark web leak site.
- **Response Actions:** Reliance Group confirmed a "partial breach" and officially informed the Indian government regarding the incident.
## Attack Methodology
- **Initial Access:** Exploitation of third-party infrastructure (Yotta Data Services).
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Not disclosed.
- **Discovery:** Target identification of contractors (Reliance Group) to reach ultimate targets (KKNPP).
- **Lateral Movement:** Not disclosed.
- **Collection:** Gathering of technical blueprints and procurement/supplier documentation.
- **Exfiltration:** Data posted to a dark web leak site.
- **Impact:** Data breach and potential compromise of critical infrastructure physical security.
## Impact Assessment
- **Financial:** Undisclosed; potential breach of contract and remediation costs.
- **Data Breach:** High volume; includes technical blueprints of nuclear facilities and supplier lists.
- **Operational:** No reported disruption to power plant operations, but a significant compromise of sensitive architectural data.
- **Reputational:** Significant; impacts the perceived security of India's largest nuclear plant and its private contractors.
## Indicators of Compromise
- **Network indicators:** None currently public.
- **File indicators:** Data cache labelled as "Reliance Group" data on World Leaks onion site.
- **Behavioral indicators:** Large-scale outbound data transfer from Yotta-hosted servers to unknown external nodes.
## Response Actions
- **Containment measures:** Reliance Group acknowledged the breach of the specific server involved.
- **Eradication steps:** Ongoing investigation into the Yotta data center environment.
- **Recovery actions:** Notification of government authorities and national security agencies.
## Lessons Learned
- **Supply Chain Vulnerability:** Even if the nuclear plant's internal network (OT) is air-gapped, sensitive data is often held by contractors who may have weaker security postures.
- **Third-Party Risk:** Reliance on third-party data center providers (Yotta) introduces additional attack surfaces that are outside the primary organization's direct control.
## Recommendations
- **Vendor Risk Management:** Implement stricter cybersecurity audits and compliance requirements for contractors handling sensitive infrastructure data.
- **Data Encryption:** Ensure that sensitive blueprints and documents are encrypted at rest on third-party servers.
- **Zero Trust Architecture:** Implement granular access controls on contractor-hosted environments to prevent a "partial breach" from exposing high-value datasets.