NPCIL says Kudankulam leak claims do not involve nuclear systems
The Nuclear Power Corporation of India Limited (NPCIL) has clarified that reports relating to an alleged data breach involving documents connected to Kudankulam Nuclear Power Project (KKNPP) Units 3 and 4 pertain only to conventional Balance of Plant (BoP) common service facilities and do not involve any nuclear safety or security-related systems.
The clarification follows media reports regarding the publication of files allegedly linked to the project on the dark web.
NPCIL’s clarification
NPCIL stated that the Engineering, Procurement and Construction (EPC) contract for the Common Services–BoP package for KKNPP Units 3 and 4 was awarded to Reliance Infrastructure Limited in 2018 through a public tender process.
According to the company, the scope of work covers the engineering, procurement, construction and commissioning of common service facilities of a conventional nature. NPCIL noted that these systems are comparable to those found in thermal power plants and other process industries.
As part of the tendering process, NPCIL had shared indicative drawings and technical specifications with prospective bidders. Based on these documents, the EPC contractor developed detailed engineering drawings in consultation with Original Equipment Manufacturers (OEMs), which were subsequently reviewed and accepted by NPCIL.
The company emphasized that the documents referenced in media reports are unrelated to nuclear reactor systems or any nuclear safety and security infrastructure.
Media reports
According to Reuters, ransomware group World Leaks has claimed to have published a cache of files allegedly linked to KKNPP Units 3 and 4 on the dark web.
The report stated that the files formed part of a larger dataset comprising around 858,000 documents that the group claims to have obtained from the Reliance Group. Of these, nearly 19,000 files were reportedly associated with the Kudankulam project.
Reuters reported that the documents included vendor proposals, inspection records, equipment photographs, purported drawings of ventilation and cooling systems for Units 3 and 4, and a floor layout of a common control room. However, Reuters noted that it was unable to independently verify the authenticity of the files.
Responses from stakeholders
Reliance Infrastructure informed Reuters that a “partial breach” had occurred on a server hosted by Yotta Data Services Private Limited and that the incident had been reported to the government.
Yotta Data Services stated that it detected suspicious activity on May 29, 2026, and immediately terminated the activity before any suspected ransomware execution could take place.
The company further stated that Reliance Infrastructure informed it in late June about claims made by external threat actors regarding a data breach. Yotta added that it has not independently verified these claims and is cooperating with the ongoing investigation.
Reuters also reported, citing a source familiar with the matter, that NPCIL has been in contact with Reliance Infrastructure and that the Indian Computer Emergency Response Team (CERT-In) is examining the incident.
Project status
KKNPP Units 3 and 4, each with a capacity of 1,000 MW, are currently under construction and are expected to become operational by 2027. The reactor systems for the units are being supplied by Russia’s state-owned Rosatom.
This is the second cyber-related incident associated with the Kudankulam facility. In 2019, malware linked to a North Korean hacking group was detected on the plant’s administrative network. NPCIL had stated at the time that the incident did not affect any operational systems.
NPCIL’s latest clarification reiterates that the documents referenced in the current reports relate exclusively to conventional infrastructure and have no bearing on the nuclear safety or security architecture of the Kudankulam project.
