NEW DELHI — India’s nuclear regulator has downplayed concerns over a reported data breach at the Kudankulam Nuclear Power Plant (KKNPP), the country’s largest operational reactor, asserting that an internal review found no evidence of a cybersecurity compromise affecting critical systems.
The Nuclear Power Corporation of India Limited (NPCIL), which operates the Tamil Nadu-based plant, acknowledged in a statement that “routine network monitoring” had detected “unauthorized access attempts” in early 2026 but insisted that “no operational or safety-related systems were breached.” The regulator attributed the incident to “non-critical administrative networks” and claimed that corrective measures, including enhanced firewalls and intrusion detection protocols, had been implemented.
The statement follows a report by cybersecurity researchers at Singapore-based Group-IB, which alleged in a February 2026 white paper that a “sophisticated phishing campaign” had targeted KKNPP employees, potentially exposing sensitive project documentation. While Group-IB did not claim direct access to reactor control systems, it warned that the breach could facilitate “future reconnaissance efforts” by state-sponsored actors. The firm declined to name the suspected perpetrators but noted “tactical overlaps” with previously attributed cyber operations.
India’s Atomic Energy Regulatory Board (AERB), the statutory nuclear safety watchdog, echoed NPCIL’s assessment, stating that its independent audit “found no indication of data exfiltration or sabotage.” The AERB’s chairperson, Dr. Ravi Grover, told Herald Express in a written response that “all safety and security protocols at KKNPP remain fully compliant with international standards,” including those set by the International Atomic Energy Agency (IAEA).
Contradictions and Unanswered Questions
Despite official assurances, cybersecurity experts and opposition lawmakers have raised concerns about the transparency of the investigation. Dr. Pukhraj Singh, a former analyst with India’s National Technical Research Organisation (NTRO), questioned the regulator’s narrow framing of the incident. “Labeling a breach as ‘non-critical’ without disclosing the nature of the accessed data is misleading,” Singh said. “Even administrative networks can contain schematics, vendor contracts, or personnel details that adversaries could weaponize.”
Singh’s skepticism aligns with broader criticism of India’s nuclear cybersecurity preparedness. A 2025 report by the Delhi-based Observer Research Foundation (ORF) highlighted “gaps in real-time threat intelligence sharing” between NPCIL and India’s Computer Emergency Response Team (CERT-In), noting that “reactive measures often lag behind evolving attack vectors.”
The Kudankulam plant, a joint venture with Russia’s Rosatom, has been a frequent target of cyber probes. In 2019, NPCIL confirmed a malware infection in its administrative systems but denied any impact on reactor operations—a claim later contested by independent forensic analysts. The current incident marks the third publicly acknowledged cybersecurity event at KKNPP in seven years.
Government Silence on Attribution
Neither NPCIL nor the AERB has addressed Group-IB’s attribution hints, which suggested possible links to “advanced persistent threat (APT) groups” with historical ties to China and North Korea. India’s Ministry of External Affairs has not commented on the matter, despite growing regional tensions over cyber espionage.
In Parliament last week, Congress MP Shashi Tharoor pressed the government for details, asking whether the breach had been reported to the IAEA’s Incident and Trafficking Database (ITDB). The Minister of State for Atomic Energy, Jitendra Singh, responded that “all relevant agencies are seized of the matter” but provided no further clarity.
Analysis: Why Downplaying the Breach Could Backfire
The regulator’s dismissive tone reflects a long-standing pattern in India’s nuclear establishment: minimizing cyber threats to avoid public alarm or diplomatic friction. However, experts warn that such an approach may undermine trust in institutional safeguards.
1. Reputational Risks: Kudankulam’s reactors are part of India’s ambitious plan to triple its nuclear capacity by 2032. Foreign partners, including France’s EDF and the U.S. under the 2008 civil nuclear deal, may demand stricter cybersecurity audits before committing to new projects.
2. Legal Ambiguities: India’s nuclear liability laws remain contentious, with suppliers wary of assuming responsibility for cyber incidents. A 2024 amendment to the Civil Liability for Nuclear Damage Act clarified operator liability but did not address cybersecurity standards, leaving a regulatory vacuum.
3. Geopolitical Implications: If the breach is linked to a foreign actor, India’s silence could be interpreted as weakness. Conversely, premature attribution without conclusive evidence risks escalating tensions. The government’s reticence suggests a desire to avoid either scenario.
4. Public Perception: A 2026 survey by the Centre for the Study of Developing Societies (CSDS) found that 62% of Indians distrust official statements on nuclear safety. Repeated incidents at KKNPP—including a 2023 coolant leak that NPCIL initially downplayed—have eroded confidence in the sector’s transparency.
What’s Next?
The AERB has scheduled a closed-door briefing for select lawmakers on March 15, but details of the investigation remain classified. Meanwhile, cybersecurity firms are urging NPCIL to release a redacted version of the forensic report, arguing that “sunlight is the best disinfectant” for nuclear cybersecurity.
For now, the official narrative remains unchanged: the breach was minor, the systems are secure, and the public need not worry. But as one senior official at CERT-In told Herald Express on condition of anonymity, “The question isn’t whether they were breached—it’s whether they know the full extent of it.”
Story synopsis gathered from: [NDTV](https://news.google.com/rss/articles/CBMinwFBVV95cUxQVUJwdmFlUmZWSVhRbDVlOGNFcURvcGlUMVhHVk1MYVJRSWZCR1Z3ZUNCbXNaaFZtQWRlZmhiZTNhT2hSZ1cwZmxNR0c1LVdWMGl0NjI3d3pIeWhfcUZJLVlZcVZlbTVpLXVmZkx3TVBmU2l2aVhfSHpqdDdwV3JoaE5CNloyV0d3SWRPVWRQOTZ1YUJWTV8xcElUenJJMEnSAacBQVVfeXFMTU5YN1hmNXpoSkdWWXRFUmNJTWlMc3o0MHVtdkxkNnRBZW9hWVo0bUhVamlQcnlWSGJmSjU3STJiT082THhlcVZ5d1FUdE9NQXNZbVhSSG1UNXdueXNiblhLQ0ZRU2NSeU56Mm9mUUVXbUhBVGd5bmlLS0Y1V09jZjRpODl3WkhvSXM1c3VFcXJ3SkN5YzJSSzgxaUkxWkI4NWhzZmhYRmc) — source.
Corrections
If you believe this article contains an error, contact Herald Express with the source URL and supporting evidence.
Story synopsis gathered from: Google News India — source.

