From engineering drawings and plant layouts to HR records, inspection emails, and internal project documents, a massive cache of files stolen by the ransomware group World Leaks, a global "extortion as a service" platform, has raised fresh cybersecurity concerns around India's largest civil nuclear power project, the Kudankulam Nuclear Power Plant (KKNPP).
India Today's analysis found that the ransomware group leaked an archive containing 858,253 files with a combined size of 1.20 TB. More than 514 GB, over 42 per cent of the archive, was directly or indirectly linked to the Kudankulam Nuclear Power Project.

advertisement
While the Nuclear Power Corporation of India Limited (NPCIL) has acknowledged that the leaked data is linked to one of its contractors, Reliance Infrastructure Ltd., it has maintained that no nuclear safety or security-related systems have been compromised. According to the corporation, "the exposed material pertains only to conventional Balance of Plant (BoP) common service facilities and does not affect reactor safety or security."
To independently assess the scale of the breach and verify the nature of the exposed material, India Today's Open Source Intelligence (OSINT) team analysed the dataset published by the ransomware group. The analysis involved systematically reviewing hundreds of documents, mapping the directory structure, and categorising files by project relevance and document type.
Our review found two top-level directories, RCS and Server, which together contain 858,253 files organised across 282 directories, with a combined size of 1.20 terabytes (1,231.40 GB). At the first directory level, the RCS directory contains two clearly identifiable folders, KNPP and KNPP Project, comprising 17,248 files, while the Server directory does not contain any KNPP-named folders at this level.

However, the KNPP-related material extends far beyond these top-level folders. Across multiple nested directories, in some cases reaching seven or eight levels deep, we identified project-specific files and subfolders linked to the Kudankulam Nuclear Power Project. Many are explicitly named KNPP or KNPP Project, while others are identifiable through project references, contractor names, engineering documentation, technical drawings, correspondence, and project execution records. Overall, about 18% of the archive, or 221.91 GB, consists of files that explicitly contain references to KNPP, NPCIL, or related project keywords. The broader figure of more than 42% includes these files as well as records found inside project-linked repositories, employee folders, contractor directories, and enterprise systems that may not mention KNPP in their filenames but are directly or indirectly associated with the project.
Together, these records span nearly every stage of the plant's planning, construction and execution.
The remaining data, excluding the 514 GB linked to the KNPP, appears to relate to other Reliance Infrastructure projects. This includes documents associated with metro rail projects, thermal power plants, tunnel construction, and a broad range of other infrastructure projects, indicating that the leaked archive spans the company's wider project portfolio.
HOW IS THE LEAKED DATA ORGANISED?
The reviewed dataset is not organised as a single project repository. Instead, project records are dispersed across multiple directory structures.
advertisement
Folders labelled Enovia contain enterprise-wide engineering, finance, quality assurance, project management and employee-related records. Directories named KNPP primarily house technical drawings, engineering designs, equipment specifications and tender documents, while KNPP Project folders contain structured project execution records covering civil works, control and instrumentation (C&I), heating, ventilation and air conditioning (HVAC) systems, and project management documentation.
In addition, several user number-based directories appear to function as individual employee workspaces containing handover records, internal correspondence, and copies of project files.
WHAT LIES INSIDE THE FILES ?
To understand the content of the leak, we systematically reviewed hundreds of documents from across the identified Kudankulam project directories. The analysis involved manually inspecting individual files, examining their contents, and classifying them by document type and function rather than relying solely on folder names or filenames. The categories were then quantified based on the volume and nature of data they contained.

The leaked archive broadly contained study materials, theoretical schematics and equipment drawings, which were grouped under the Design category. Employee records, Aadhaar documents, and other personnel-related information were classified as HR material and so on. Based on the nature and content of the files, India Today identified seven broad categories: HR, Design, Mails, Handover, Tender & Bills, Layout, and Others.
advertisement
The review found that employee and HR related records constituted the largest category of exposed material, accounting for 250 GB, or 49 per cent, of the analysed data. Engineering design records formed the second largest category, comprising 180 GB, or about 35 per cent of the reviewed archive, followed by emails and internal correspondence, which accounted for 49 GB, or 9.6 per cent of the analysed data.
The leaked material spans nearly every stage of the plant's construction and operations, including engineering drawings, plant layouts, equipment specifications, technical studies, procurement and tender documents, inspection reports, invoices, contractor and vendor records, project handover files, and extensive internal correspondence. Procurement-related records, including tenders and bills, account for 5 GB of the analysed data, while project handover documents total 11 GB and plant layout documents comprise another 2 GB.
The archive also contains human resources records and personally identifiable information (PII), including Aadhaar details and signatures of individuals associated with the project.
Several directories contain detailed project execution records relating to the construction of Kudankulam Units 3 and 4, covering civil works, control and instrumentation (C&I), heating, ventilation and air conditioning (HVAC) systems, along with associated engineering studies.
advertisement
The reviewed archive also includes reports on plant water systems, approved supplier and vendor records, equipment reviews, inspection findings, and numerous documents marked "Confidential" or "Protected", together providing a detailed picture of the plant's engineering, procurement, project execution and administrative processes.
A review of emails exchanged between contractors and individuals associated with the power plant indicated that some communications were confidential and discussed components and equipment at KNPP that required technical attention. We also found that several people named in the emails had past or present professional links to KNPP or Reliance Infrastructure.
WHAT DOES THE ANALYSIS SUGGEST?
India Today’s review found that while many of the leaked documents appeared routine or “conventional”, as NPCIL has maintained, the archive also contained information that should not ordinarily be available in the public domain. This included layouts, technical designs, equipment specifications, schematics, internal correspondence and personnel records.
None of the documents examined by India Today showed a direct link to “nuclear safety or nuclear security systems”, broadly aligning with NPCIL’s statement. However, technical material of this nature could still pose a risk if accessed, combined or misused by malicious actors. Emails and records identifying researchers, employees, contractors and others associated with KNPP also contained sensitive and confidential information.
advertisement
However, the absence of nuclear safety-related information does not necessarily diminish the significance of the breach.
The exposed archive provides detailed insight into the plant's engineering processes, supporting infrastructure, contractors, suppliers, and administrative operations. While it does not appear to reveal critical reactor safety systems, the collection of engineering layouts, procurement records, contractor documentation, internal correspondence, and employee-related information could provide valuable intelligence for reconnaissance, supply chain mapping, or targeted cyber operations.
"They could show an adversary not just who has access to the project but which systems that access reaches," Nickolas Roth, Senior Director of the Nuclear Materials Security Program at the Washington-based Nuclear Threat Initiative (NTI), told Reuters.
However, concerns surrounding the exposure of engineering and administrative records are not new.
Following the 2019 cyber incident at Kudankulam, an issue brief published by Manohar Parrikar Institute for Defence Studies and Analyses (MP-IDSA) observed that even administrative networks can contain employee information, procurement records, engineering documentation and internal communications that may be exploited for targeted phishing, credential theft or reconnaissance before more sophisticated cyber operations.
The brief noted that while "such records may not directly expose reactor systems, they can help build a detailed picture of an organisation's personnel, infrastructure and supply chain, making them valuable for follow-on cyber operations."
While the available evidence supports NPCIL's assertion that reactor safety systems were not exposed, the scale and diversity of the leaked records underscore how engineering, administrative and supply chain data can themselves become valuable targets in cyber espionage and ransomware campaigns.
WHY IS THE LEAK CRITICAL?
KKNPP in Tamil Nadu is India's largest nuclear power project. Operated by NPCIL and built in cooperation with Russia, the plant currently has two operational nuclear reactors with a combined capacity of 2,000 MW. Four more reactors are under construction, which will increase the site's total generating capacity to 6,000 MW.
As one of India's most critical pieces of energy infrastructure, any cyber incident or large-scale data exposure involving the project carries significance beyond routine cybersecurity concerns. Recent geopolitical conflicts and events, including the wars in Ukraine and Iran, as well as the capture of Venezuelan President Nicols Maduro by the US military, have shown that critical infrastructure, particularly the power sector, can become a target during periods of geopolitical tension.
During the early stages of the Russia-Ukraine war, power sector infrastructure was repeatedly targeted through cyber operations, demonstrating how digital attacks can accompany military conflict. India has also faced similar concerns. During the Galwan clash in 2020, there was a rise in suspected China-linked cyber activity targeting Indian critical infrastructure, including the power sector. Hence, the concern is broader: data leaked today could be exploited by a state actor during a future conflict, which may benefit from the vulnerabilities or the data exposed.
– Ends
With inputs from Shekhar Pratyush
Published By:
bidisha saha
Published On:
Jul 17, 2026 17:28 IST