cybersecurity
Nobody Hacked the Reactor
India's largest nuclear plant made global headlines this month when 19,000 sensitive files hit the dark web. Here is the part nobody put in the headline: the reactor was never touched, the attack was boring, and that is exactly why you should pay attention.
If you read one headline about the Kudankulam breach this month, you probably came away thinking someone kicked in the door of a nuclear reactor. They did not. That version is scarier and less true than what actually happened, which is worth understanding, because the real version is coming to a company near you.
Here is the short version. A ransomware crew called World Leaks dumped about 19,000 files, roughly 14 GB, onto the dark web. The files relate to Units 3 and 4 at the Kudankulam Nuclear Power Plant in Tamil Nadu, both still under construction. Blueprints of ventilation and cooling systems. Floor plans of a shared control room. Supplier lists. Inspection records. Insurance paperwork. Some of it dates back to 2016.
Now the part that got buried. None of it came from the reactor.
The air-gap held. The filing cabinet didn't.
Think of a nuclear plant like a bank. The vault is the reactor core and its control systems. In this case those designs belong to Russia's Rosatom, they sit on networks physically cut off from the internet, and they were not part of the leak. The vault held. It did its job.
What leaked was the equivalent of the bank's facilities binder. The HVAC drawings. The floor plan. The list of who supplied the locks and who inspected them last. Not the money, but a detailed map of the building around the money.
And that binder was not even inside the bank. It was a copy, sitting at a contractor. Reliance Infrastructure won the 2018 contract to build out Units 3 and 4, so Reliance had legitimate copies of all these documents. Reliance stored them on a server hosted by a third-party data center company called Yotta. Yotta noticed something wrong on May 29. By then the files were already gone, and they went public on June 11.
So trace the path of a single blueprint. It starts at the plant. It gets copied to a contractor who needs it to do the work. The contractor parks it at a data center vendor. An attacker walks into the data center vendor. Four organizations, three handoffs, and the document is on the open internet. The plant did everything right and still lost.
That is the whole lesson, and it has nothing to do with reactors.
How they actually got in (spoiler: it was boring)
Everyone wants a breach at a nuclear facility to involve some genius zero-day and a hooded figure in a basement. World Leaks does not work that way, and they almost never have to.
World Leaks is a rebrand of Hunters International, which was itself built on the bones of the old Hive gang. Sometime in early 2025 they made a business decision: stop encrypting files, just steal them and threaten to publish. Encryption is loud and law enforcement was catching up. Pure theft is quiet, leaves less evidence, and the long-term pain of leaked secrets is often worse for the victim than a few locked servers they can restore from backup.
Their signature move is embarrassingly simple. They find a VPN or a remote-access login with no multi-factor authentication, they get a valid username and password (bought, phished, or reused from some other breach), and they log in. Not break in. Log in. Once inside, they use tools that already live on the network so nothing looks out of place, they find the good stuff, and they quietly copy it out.
Same crew, same playbook, hit Tata Electronics just last month and walked off with iPhone and Tesla supply-chain data. They asked for 1.5 million dollars, got ignored, and published. This is a business, and it runs on your worst password hygiene.
"But was it AI?"
This is the question everyone asks now, so let me be straight with you, because pretending otherwise is exactly the kind of thing I write about.
There is no evidence AI was used to pull off the Kudankulam breach. None. This was stolen credentials and a missing MFA prompt. If anything, the honest headline is "nuclear plant contractor breached by a weak login," which does not exactly trend.
But do not exhale yet, because the AI story here is real. It is just one layer up. Across the ransomware economy, crews are wiring AI into the parts around the break-in. Writing cleaner phishing lures at scale. Sorting through stolen data to find the valuable 19,000 files inside a haystack of 858,000. Running the extortion negotiation. Security researchers have been tracking this shift all year.
So the accurate way to think about it is this. AI did not make this attack possible. AI is making this exact kind of attack cheaper, faster, and doable by people who could not have done it before. The breach was boring. The trend behind it is not. When the boring attack gets automated, you get a lot more of it.
What actually stops this
None of the fixes are exotic. They are just unglamorous, which is why they get skipped.
Turn on MFA everywhere, especially the boring stuff. The single most common way this specific crew gets in is a remote login with no second factor. A VPN without MFA in 2026 is an unlocked door with a "please rob me" sign on it. This is the highest-leverage item on the list and it is basically free.
Own your vendors' security, in writing. The plant did not leak. Its contractor's data center did. If your sensitive data lives at a third party, their weakest control is now your weakest control. That means real security requirements in the contract, proof they are met, and the right to check. "We assumed they had it handled" is not a strategy.
Stop hoarding. Some of these files were nine years old. Ask why a 2016 blueprint was still sitting on a live, reachable server in 2026. Data you deleted cannot leak. Retention limits and moving old records offline shrink the blast radius before anything goes wrong.
Encrypt data at rest and segment your networks. The reactor survived because it was walled off. Apply the same instinct to everything else. If an attacker gets one login, they should land in a small room, not the whole building. And stolen files that are properly encrypted are a lot less useful on a dark web forum.
Assume you will be breached and rehearse it. Yotta spotted the intrusion, which is good, but the files were already gone. Speed is everything. The gap between "something is wrong" and "we contained it" is measured in hours, and you do not want to be writing the plan while the clock runs.
Where this is heading
Three things are true at once, and they point the same direction.
The extortion-only model is winning. Stealing and threatening to publish is quieter and often more profitable than locking files, so more crews are copying it. That means the threat you are defending against is data leaving, not systems freezing, and a lot of tools are still tuned for the wrong one.
AI is lowering the floor. The skill you needed to run a competent data-theft-and-extortion operation is dropping, because the tedious parts are getting automated. Expect more attacks, run by less capable people, at higher speed.
And critical infrastructure is squarely in scope. Power, water, transport, anything with contractors and construction and decades of accumulated documents. The reactor cores may be air-gapped. The sprawling human and paperwork perimeter around them is not, and that perimeter is where this fight is actually being fought.
The uncomfortable takeaway from Kudankulam is not that a nuclear plant is fragile. It is that the plant was strong, and it lost anyway, because your security is only as good as the least careful company holding a copy of your secrets. Most organizations have no real idea how many copies of their secrets are out there, or who is holding them.
That is the question worth sitting with. Not "could someone hack our reactor." The reactor is probably fine. The question is: where are all the copies, and who is watching the ones we forgot about?