Tags:

KUDANKULAM NUCLEAR POWER PLANT LEAK: AN ACCIDENTAL DISCLOSURE

NOTE: This article is being drafted after the initial submission to a Media House — Reuters and an Interview with Member of Parliament (MP) board. Hence, some of the data would be concealed due to Security Concerns.

INTRODUCTION

When a Data Leak happens, it not only affects the intended party, but indirectly also affects other vendors/parties who has direct ties to the affected Organization. 

This article focuses on one such accidental disclosure which happened to the most important Nuclear Facility in our Country — Kudankulam Nuclear Power Plant (KNPP) located in Tamil Nadu. 

Nuclear Power Plant Data Leak | Representation

KUDANKULAM NUCLEAR POWER PLANT was affected as victim when Reliance Infra (RPOWER) got hit by a Ransomware Group called “WORLDLEAKS”.

NOTE: KKNP generates massive amounts of electricity by harnessing nuclear fission. Operating at a current capacity of 2,000 MW, it is undergoing an expansion to eventually reach 6,000 MW to meet regional and national energy demands. Currently, Units 1 and 2 are fully operational, each producing 1,000 MW of power. Four additional units (Units 3, 4, 5, and 6) are in various stages of construction in collaboration with Russia’s state corporation Rosatom. The Plant runs on Low Enriched Uranium (LEU), which is imported directly from Russia.

Though NPCIL has stated that Reactor Systems and Nuclear Security were not affected, here we are going to discuss the possibilities of Exploitation with the available data breach. 

HOW IT BEGAN?

A well-known popular Ransomware Group named “WORLDLEAKS” who is the spin-off of Hunters International (former Ransomware Group), another variant of Hive Ransomware Group; had announced Reliance Infrastructure as a Victim on their Data Leak Site (DLS) on 11th June, 2026. 

WORLDLEAKS DLS Website listing Reliance Group

After the countdown timer which is set for about 2 days, the group leaked the entire database of RINFRA on their Data Leak Site (DLS). 

NOTE: It’s interesting to note that the Ransomware Group listed their Stock Market Ticker RPOWER (NSE) to maximise the impact

Once the leak became public (on Dark Web), I began to inspect the dataset and found KKNP folder while exploring the leaked set. 

As I already know about KKNP earlier (from a 2019 Hack Incident), it quickly grabbed my attention. Though the data is 1.2TB, narrowing down the KKNP dataset consists of 18,997 files, totalling at 14.3GB data. 

KKNP Records

However, based on the usual suspect checklist, it can be estimated that the network might have got compromised using any exposed RDP Access, Phishing or Fortinet Exploit. 

NOTE: Reached out to Yotta, but not receieved any response as of now

The attackers might have had access for few days to weeks based on the Network bandwidth and exfiltrated the whole data using RustyRocket — An inhouse Exfiltration tool used by the group (found by Accenture). An average connection speed of 50–100Mbps would take 4–6 days exclusively for Exfiltration. This could also vary based on the Network Bandwidth and Connectivity

SCOPE OF DATA LEAK

Analyzing the breach, found following set of categories:-

➼Financial Records between Reliance Infra and NPCL
➼Tender Documents
➼Mechanical Records like Chiller Building, Compressor Building, Engineering Utilities
➼Equipment Layout Drawing
➼Service Bills
➼Vendor Records
➼Employee Data
➼Technical Specifications — like RFC Drawings, 
➼Email Records
➼Internal Conflicts — Unavailability of Products which is useful for Competitors

Running a quick scan, we can see the following findings:-

Highest Security Risk Files (Still the Top Concerns)

These remain the greatest risks because they contain technical/operational details:

  1. RFC Drawings & Layouts (highest priority)

➼KKNPP- Signed Copy of RFC Drawings for 00UCS, 00UGC, 00USV, 00UTF & 02UGD…
➼KKNPP- Signed Copy of RFC Drawings for 00UTP
➼_ KKNP 3&4 _ USV- ELECTRICAL EQUIPMENT LAYOUT…
➼Compressor/Chiller building cable routing, earthing layouts, etc. (multiple {In Archive} entries)

2. PPS / Security-Related

➼06.11.2024_KKNPP-RInfra — Reminder for PPS fencing design finalization (Physical Protection System fencing — directly security-critical)
➼KKNPP_PSS_R1 (and dated versions)
➼Head Security KKNP

3. Reactor & Critical System Mentions

➼KKNP Reactor Building Tender
➼HVAC tender specs + ventilation/air conditioning for packages (multiple)
➼NPCIL KKNPP 3&4 Transformer Rectifier Seismic categorization
➼N2, Fire, H2-O2 hookup materials
➼Fire protection, extinguisher layouts, external hydrant

4. Other Technical Drawings/Specs

➼Compressor building equipment layout & cable/pipe trench details
➼GA drawings, duct drawings, cable trays, motor data sheets
➼Sea water system, overhead piping TORs/specs

Medium Risk

➼Monthly Progress Reports (large .eml with attachments)
➼Tender documents, BOQs, QAPs, approved sub-vendor lists
➼Seismic, lighting, KKS coding, health physics ducting

Other artifacts such as:-

➼Air Handling Unit by Zero Aircon
Kruger as its contractor for supply of Centrifugal Fans for the NPCIL KKNPP
Ercon Composites for GRP Cable Tray

In short, primarily BOP/Common Services — not reactor core. But Detailed Layouts of utility buildings, Cable Routings, Fire/HVAC specs for Utility/Control Buildings, PPS fencing, and seismic categorizations are actionable for physical/cyber planning.

They could reveal:

➼Access points and physical protection weaknesses
➼Critical system locations (compressors, chillers, electrical)
➼Design details exploitable for physical or cyber threats
➼Firmware Issues can be exploited

NOTE: As more Electrical/Mechanical Appliances are getting smarter, it’s natural to get it controlled via direct commands (remotely) over the network, which could pose a serious risk, if gets compromised. 

DATA LEAK SNAPSHOTS

Here by sharing some of the data leak snaptshot records found in the leak.

NPCL Payment Receipt to Reliance Infra
Guarantee Amount of Reliance Infra for the KKNP Project
KKNP 3 & 4 Approval Sheet
Delay Analysis | Internal Document
PPS Fencing Issue quoted
Toolset: Payment History
RFC Drawing: Approved List
Floor Plan
Internal Communication
Info about Security Head in KKNP
Reactor Building: Procurement List
Consolidated BOQ

VENDOR SECURITY — STILL A MATTER

The Data Leak of KKNP is primarily is attributed to a 3rd Party Vendor named “Yotta”. 

It came to the limelight as Reliance Infra did not get affected directly. However, Yotta hosts Reliance Server; confirmed that a Suspicious Activity spotted on May 29, 2026 which aligns with the Data Leak Announcement Date by the Ransomware Group (which is confirmed by Reuters).

YOTTA cleared intense regulatory audit from the U.S. Securities and Exchange Commission (SEC) in November 2025. 

NOTE: Clearing Auditory Check from the US SEC (Securities and Exchange Commission) is considered as a White-List as no other security issues were detected and a clean-chit is provided; however we have seen what had happened

The background check of Vendors should be thoroughly done when dealing with National Security like NPCIL’s KKNP

A routine check-up on the services running, timely patching of Vulnerabilities, Network Isolation of Critical Infrastructure should be treated on High Priority. Even after taking care of complex check-ups, there is a human element which paves the way to Network Compromise like Phishing, AI Vishing, Fake Document Generation (AI), Supply Chain Attacks, GitHub Compromises, Fake Interviews by DPRK or potential enemy etc.

NOTE: While checking the Reliance Breach, other 2 identified parties are RRPCL (Ranolia Road Carriers Pvt. Ltd) and Enovia  — A French multinational software corporation which is mostly used in R&D centers in India

INDUSTRIAL ESPIONAGE

It is no secret that the Industrial Control Systems (ICS) and Operational Technologies (OT) are commonly being targeted by State Sponsored Attackers like Lazarus (North Korea) for espionage purposes. 

This is a routine-long standing covert operations which are not generally public, but common among Threat Researchers (who reports Foreign Nation Campaigns). 

State Sponsored Espionage Campaigns

North Korea 🇰🇵: More opportunistic and financially motivated espionage to directly support weapons programs (nuclear, missiles). Shorter dwell times but aggressive data theft.

China 🇨🇳: Long-term, strategic pre-positioning (“access now, disrupt later if needed”). Broader scope across global supply chains and infrastructure.

All these operations are carried out most commonly using Phishing — When you open an enticing offer on your email which ultimately compromises your system without your knowledge. 

NOTE: Training employees with Phishing Workshop doesn’t work as Humans need to apply logic before the next move, when they see a promising oppertunity

CYBER SABOTAGE

Apart from Nation-Sponsored Espionage, there are attempts by Attackers to knock out/disrupt the Industrial Control Systems over the years. 

Some of the notable incidents are listed here:-

State Sponsored Sabotage Campaigns

Most of these attacks are driven by:-

➼Phishing/Social Engineering
➼Supply Chain Compromises
➼Exploiting Internet-Facing Applications
➼KVE (Known Vulnerability Exploitation)
➼Insider Trade
➼File-less Malwares

EXTERNAL FACTOR FOR AN ATTACKER

Getting hold of these documents alone is not a direct threat to any Nuclear Facility, however understanding and mapping the right technology would reap meaningful information.

DATA -> LOGIC -> INFORMATION

So, in short these documents would be useful for Industrial Espionage for the interested Nations/Groups. 

But it will only pose a potential danger when the Internal Network of any Nuclear facility gets compromised. As a result the attackers would know the capacity of the plant and how far they can go to supersede their existing toolkit (if they plan to).

In this case, if an attacker maps the vendors (which is internally used in the KKNP) as I mentioned earlier, it would be easier for attackers to know the System Internals without any Direct Intrusion. This would be more fruitful to design such facilities in their home country (like North Korea as they are cut out from rest of the world). 

Once the data is released on Dark Web, it would be available for whoever is accessing it. But yes, as it’s not available on surface web, the security risk is minimal. 

INSIDER TRADING — YOUR ENEMY IS WITHIN

Here, we are not talking about Trade Market, but about Organizational Credentials. 

Insider Trading of Confidential Information (like Username/Password) in exchange of whopping amount (in BTC/Cryptocurrency) is one of the rising threat on Dark Web. So a person with highest security level clearance could list his/her credentials on Dark Web, posing as a Trader in exchange for Money. 

Again, on various underground forums, such data selling (Admin Credentials) is being keenly watched by Nation-Sponsored/Large Ransomware Groups for a more opportunistic profit. 

Example of Data Trade | Credit: Outpost

This can be used not only by Foreign Agents, but Competitors will come into the picture. 

NOTE: While analyzing the file list, I found an interesting document titled “GO — NO GO”which defines the checklist approval

Now, imagine a Use Case where a competitor is trying to get the tender of KKNP hardly for a longer time. This internal document would help to know the internal Vetting procedure conducted by officials before agreeing to a Vendor and seal the deal later. 

WORLDLEAKS: A PROMINENT GROUP

IDENTITY: This Group initially appeared in May 2025 after the exit of Hunters International who bid goodbye by offering free Decryption Keys in July 2025. Hunters International itself is a spin-off of another popular group named “HIVE”.

NOTE: The Hive ransomware network was permanently shut down on January 26, 2023, by a coordinated international law enforcement operation led by the US Department of Justice (DOJ) and Europol

So by checking the timeline, we can assume the group had already begun their spin-off before retiring the previous program. 

VICTIM GEOGRAPHY: So far, the group had infected 173 Victims from 29 Countries, majorly targeting the US (91)and UK (10). 

VICTIM SECTOR: This group is ruthless, as they mostly target Healthsector Industry with 31 as highest, followed by Manufacturing (25) and Business Services (24)

TOOL USED: The group had used in-house Data Exfiltration tool called “RustyRocket” which is created on 23rd April 2025 (as per signature). This is disguised as Windows Application with file-named as “winhost.exe”.

MD5: bcdc36ad84372cf65cda72a3332bacd3

There are 14 Samples uncovered by Accenture for same tool, SHA-256 Samples are listed as:-

  • 587d343b3d9e1201ba5a8fdd7a3a3f809052aa7dfba3f7c557189ef63a999f08
  • 961b6184447ab4cb76295ea2f324e227aff459d0e68849c46c49ecdf641e2551
  • 36255601ca5d6882d34c0d53a5a816ef0b979828038f9caf5f1a2afdfcffc329
  • 67b487ddd924e078144bb9e2c48fe8b7924221f1e55c3f2df67d65daa3415fd4
  • 6034d6aa9a13378be6cd611cb5495b50eb7dc8463ef435e3b6d8c68a57e9b8e1
  • 5b9017e700d3dd26e18043fb6e041241c704bcc08608a9f5898212dc7e722198
  • e7ad1b1974e8f04949936545d1297c4e3b1334a9da0ae31ab1d508174197bbce
  • 98dc0cd6290566866f3b1682335c680b9bbdb1020fc52e47315fd33eb9fa221e
  • 8b37116210f70e7768c736d657fcc143a1f009c9a69194ccc338d6e8dedb3c07
  • 88553c3e3df81a66927480fd1029d577c7805c0dd20114807a6f41b50a230e96
  • 041dca4a1d8c80f05c399dd750acf026ed5f94f1da08dc4f0f0d0ba9884916ff
  • 63150c955be4158c9b9e111de114daa59a4ffd1eab92a469c1f09dce84a698c6
  • a30609489c111decdd3f8693cff016d9a8f629a0d85fdac858add7698f9b2659
  • 180a40b7758b9b053f7f3f41511275f94b01eee88dd9b93edf003a607ee655a0

All the Windows Samples are sized between 3.20MB and 3.39MB from January 2025

The group also makes use of Linux Builds to target cross-platform victims. Here are the SHA-256 Samples of RustyRocket (Linux):-

  • d92377d14dc2c3cd818fcf3a37343ec30a3495b9ba2eedaa2d41b698ee159b08 
  • c5ffa5ac08f0feba11d767d1b2d8b096b729e90cc2874e0c8f624a5a68466131

Both these Linux builds are found in February 2026 and are sized at 2–3MB.

NEGOTIATION TIMELINE: Upon checking the previous Ransom Note of this group, it is found that the group provides 7 days time before publishing the data. However, we spotted a shift now, which got reduced to 2 days after the initial announcement in the DLS.

SAMPLE UNAVAILABLE: As the active Encyrptor sample is not available (at the moment), it would be difficult to understand the inner working.

DATA STORAGE: The group is more active in exfiltrating large dataset, it is important to note that the Hosting Server of this group is massive and the group is possibly subscribed to larger Hosting Plan, as more vicitm’s data are also hosted on the same network. 

CONCLUSION

As Data is the new oil in today’s world, more and more groups would come forward looking for the weaknesses. The same data could be packaged in near future by another group to gain traction. 

Sometimes, you don’t even need to have an active encryptor, just like the case of Kairos Group who got paid by a US Government Entity about $1 Million which I found recently.

Leave a Reply

Discover more from THE RAVEN FILE

Subscribe now to keep reading and get access to the full archive.

Continue reading