Exclusive: Malware may still be being provided and its potential effects have been covered up by employees, research reveals
The UK’s most damaging nuclear site, Sellafield, has been hacked by cyber teams with close ties to Russia and China, The Guardian can reveal.
This startling revelation and its effects were systematically covered up by senior officials at the massive nuclear waste and decommissioning site, the investigation revealed.
The Guardian found that the government does not know exactly when computer systems were first compromised. But sources say the breaches were first detected as early as 2015, when experts realized that latent malware (software that can be hidden and used to spy on or attack systems) had been embedded into Sellafield’s computer networks.
It is still not known if the malware has been eradicated. It may mean some of Sellafield’s most sensitive activities, such as moving radioactive waste, monitoring for leaks of dangerous material and checking for fires, have been compromised.
Sources suggest that foreign hackers have most likely accessed the privacy levels of the site, which spans 6 square kilometers (6 square miles) off the coast of Cumbria and is one of the most damaging in the world.
The full extent of any data loss and any ongoing risks to systems was made harder to quantify by Sellafield’s failure to alert nuclear regulators for several years, sources said.
The revelations emerged in Nuclear Leaks, a year-long Guardian investigation into cyberpiracy, radioactive contamination and poison paint culture at Sellafield.
It has the largest reserve of plutonium on the planet and is a huge dumping ground for nuclear waste from weapons systems and decades of atomic energy production.
Guarded by an armed police force, it also contains contingency plans and documents to be used if the UK suffers a foreign attack or faces a disaster. Built more than 70 years ago and formerly known as Windscale, it produced plutonium for nuclear weapons during the Cold War. and absorbed radioactive waste from other countries, including Italy and Sweden.
The Guardian may also reveal that Sellafield, which has more than 11,000 employees, was subjected last year to some form of “special measures” for ongoing cybersecurity breaches, according to resources from the Nuclear Regulatory Authority (ONR) and security services.
It is also believed that the watchdog should prosecute Americans for cyber failures.
The ONR confirmed Sellafield is failing to meet its cyber standards but declined to comment on the breaches, or claims of a “cover up”.
A spokesperson said: “Some issues are the subject of ongoing investigations, so we are unable to comment further at this time. “
In a statement, Sellafield also declined to comment on its lack of information to regulators, focusing instead on innovations it says it has made in recent years.
Labour’s shadow secretary of state for energy security and net zero, Ed Miliband, said it was a “very worrying report on one of our most sensitive energy infrastructures”.
“This raises accusations that the government wants to treat with the utmost seriousness,” he said.
“The government has a responsibility to say when it first knew of these allegations, what action it and the regulator took and to provide assurances about the protection of our national security.”
The challenge of unsecured servers at Sellafield, nicknamed Voldemort after the Harry Potter villain, according to a government official familiar with the ONR’s investigation and the site’s computer glitches, is highly sensitive and dangerous. This highly sensitive knowledge can be exploited through The Enemies of Britain. Sellafield’s server network was described by the administrator as “fundamentally insecure”.
The scope of the challenge was only revealed when staff at an external site discovered they could access Sellafield’s servers and reported it to ONR, according to a watchdog source.
Other concerns include external contractors being able to plug memory sticks into the system while unsupervised.
In a highly embarrassing incident last July, key login points and passwords for secure computer systems were inadvertently broadcast on national television via BBC One’s Countryfile nature series, after groups were invited to the secure site for an article on rural communities and the nuclear industry.
The ONR has prepared a draft prosecution against Sellafield for cybersecurity, a type of enforcement action it can take if it believes there is “sufficient evidence to offer a realistic prospect of conviction. “
Senior officials at the nuclear plant have known about cybersecurity issues for at least a decade, according to a 2012 report seen by the Guardian, which warned that there were “critical security vulnerabilities” that needed to be addressed urgently.
He found that security resources at the time “weren’t good enough for the insider risk [emanating from staff]. . . let alone react to a significant build-up of external risk. “
More than a decade later, Sellafield’s staff, regulators and resources within the intelligence network that sell the systems in the vast nuclear waste zone are still not fit for purpose. Senior leaders also intentionally tried to conceal the extent of the disorders posed through cybersecurity. Disturbances on the ground by security officials tasked with testing the UK’s vulnerability to attacks in recent years. This is the issue of possible lawsuits.
Security officials are also concerned that the ONR has been slow to share its intelligence on cyber failings at Sellafield because they indicate that its own scrutiny has been ineffective for more than a decade.
ONR’s latest annual report says “improvements are needed” at Sellafield and other sites to address cybersecurity risks. It also showed that the site receives “significantly more attention” for this activity.
The ONR said it had found cybersecurity “shortfalls” during its inspections and noted that it had taken “enforcement action” as a result.
The scale of cybersecurity considerations is such that some officials deserve to urgently have entirely new systems built at the nearby Sellafield Emergency Control Center, a separate secure facility.
Among the highly sensitive documents stored at Sellafield are crisis manuals, plans that consult others through emergency nuclear protocols, and what to do in the event of a foreign attack on the UK.
These documents include some of the learnings from a variety of sensitive operations, including Exercise Reassure in 2005 – and the regular Oscar exercises – which were aimed at testing the UK’s ability to handle a nuclear disaster in Cumbria.
The ONR was so concerned about external site access to Sellafield’s servers and an obvious cover-up by the staff component, that it questioned the groups cautiously. Sellafield’s board of directors conducted an investigation into the factor in 2013 and the ONR warned that it would call for more transparency in IT security.
Cyberattacks and cyberespionage carried out through Russia and China are among the biggest threats to the UK, according to security officials. The most recent National Risk Register, an official document outlining the main risks the UK may face, includes a cyberattack on civilian nuclear infrastructure.
In recent years, attackers from hostile states have targeted allies in the “Five Eyes” intelligence-sharing community. The U. S. has been under attack, and its government agencies, including its Department of Energy, attacked record-breaking software in June of this year.
The UK’s GCHQ cyber wing, which has offices in central London and is part of the national intelligence network based in Cheltenham in Gloucestershire, warned of an increase in cyberattacks on critical national infrastructure by Russia and China.
The government’s growing fear about China’s involvement in the UK’s critical national infrastructure has led to the withdrawal of Chinese state-owned energy company CGN from the Sizewell C nuclear allocation in Suffolk and the removal of Huawei from the core of the telecoms network in recent years.
That has reversed a spell of close Anglo-Sino relations, which culminated in the then prime minister, David Cameron, hailing a “golden era” between the countries and drinking beer with the Chinese premier, Xi Jinping, in a Buckinghamshire pub in 2015.
Rishi Sunak’s government has championed expanding the country’s nuclear industry after the energy crisis, picking up where his predecessor Boris Johnson left off. Earlier this year, the then energy secretary, Grant Shapps, launched Great British Nuclear, a body designed to provide new nuclear power plants. A generation of new nuclear projects will ultimately require an expansion of Britain’s decommissioning activities.
Nuclear decommissioning, much of which takes place at Sellafield, is one of the largest expenditures in the UK Government’s Department of State Affairs annual budget. Prices are around £2. 5 per million per year. Decommissioning is a huge, long-term bill that has been deemed a “fiscal risk” to the UK’s economic health through the spending watchdog, the Office for Budget Responsibility. It is estimated that managing the legacy of the UK’s nuclear power and arms industries can cost up to £263 in turnovers.
This figure varies widely depending on how long-term cash flows are calculated, and the OBR has warned that Sellafield’s long-term prices can range from minus 50% to over 300%.
A spokesperson for Sellafield said: “We take cybersecurity incredibly seriously at Sellafield. All of our systems and servers have layers of protection.
“The critical networks that allow us to operate securely are isolated from our overall computer network, which means that an attack on our IT formula would not allow them to penetrate.
“Over the past decade, we have evolved to meet the demanding conditions of the modern world, adding greater importance to cybersecurity.
“We are working intensively with our regulator. As a result of the progress we have made, we have agreed on a “significantly strengthened” exit from the regulation.
A spokesperson for the ONR said: “Lately Sellafield Ltd meets the main criteria we demand for cybersecurity, which is why we have paid particular attention to it.
“Some explicit issues are the subject of ongoing investigations, so we are unable to comment further at this time. “
Prior to publication, Sellafield and the ONR declined to answer a number of specific questions or say if Sellafield networks had been compromised by groups linked to Russia and China. Following publication, they said they had no records to suggest Sellafield’s networks had been successfully attacked by state actors in the way the Guardian described.
A spokesperson for the Department of Energy Security and Net Zero said: “We expect the safety and security criteria when decommissioning the former nutransparent sites, and the regulator is transparent that public safety is not compromised at Sellafield.
“Many of the issues raised are historic and the regulator has been working with Sellafield for some time to make sure the innovations are implemented. We look forward to normal updates on how this is progressing.