Sellafield nuclear site hacked by groups linked to Russia and China

Malware may still be present and potential effects have been covered up by staff, investigation reveals

Anna Isaac and Alex Lawson, 4 Dec 23, https://www.theguardian.com/business/2023/dec/04/sellafield-nuclear-site-hacked-groups-russia-china

The UK’s most hazardous nuclear site, Sellafield, has been hacked into by cyber groups closely linked to Russia and China, the Guardian can reveal.

The astonishing disclosure and its potential effects have been consistently covered up by senior staff at the vast nuclear waste and decommissioning site, the investigation has found.

The Guardian has discovered that the authorities do not know exactly when the IT systems were first compromised. But sources said breaches were first detected as far back as 2015, when experts realised sleeper malware – software that can lurk and be used to spy or attack systems – had been embedded in Sellafield’s computer networks.

It is still not known if the malware has been eradicated. It may mean some of Sellafield’s most sensitive activities, such as moving radioactive waste, monitoring for leaks of dangerous material and checking for fires, have been compromised.

Sources suggest it is likely foreign hackers have accessed the highest echelons of confidential material at the site, which sprawls across 6 sq km (2 sq miles) on the Cumbrian coast and is one of the most hazardous in the world.

The full extent of any data loss and any ongoing risks to systems was made harder to quantify by Sellafield’s failure to alert nuclear regulators for several years, sources said.

The revelations have emerged in Nuclear Leaks, a year-long Guardian investigation into cyber hacking, radioactive contamination and toxic workplace culture at Sellafield.

The site has the largest store of plutonium on the planet and is a sprawling rubbish dump for nuclear waste from weapons programmes and decades of atomic power generation.

Guarded by armed police, it also holds emergency planning documents to be used should the UK come under foreign attack or face disaster. Built more than 70 years ago and formerly known as Windscale, it made plutonium for nuclear weapons during the cold war and has taken in radioactive waste from other countries, including Italy and Sweden.

The Guardian can also disclose that Sellafield, which has more than 11,000 staff, was last year placed into a form of “special measures” for consistent failings on cybersecurity, according to sources at the Office for Nuclear Regulation (ONR) and the security services.

The watchdog is also believed to be preparing to prosecute individuals there for cyber failings.

The ONR confirmed Sellafield is failing to meet its cyber standards but declined to comment on the breaches, or claims of a “cover up”.

A spokesperson said: “Some specific matters are subject to ongoing investigations, so we are unable to comment further at this time.”

In a statement, Sellafield also declined to comment about its failure to tell regulators, instead focusing on the improvements it says it has made in recent years.