Share this article on:
The UK government has responded to reports by The Guardian, which allege that hackers with connections to Russia and China have attacked what the publication describes as one of the world’s “most hazardous nuclear sites”.
According to The Guardian’s sources, breaches of the Sellafield nuclear waste and decommissioning site have been detected as early as 2015, but it is unknown when the attacks first occurred.
Reportedly, the hackers had injected sleeper malware to quietly survey the nuclear site’s computer network, allowing it to monitor for things such as compromises in the site’s structure, such as leaks and reports of fires. It would also allow the threat actors to access records of activities such as the moving of radioactive material and waste.
The Guardian added that it was unknown whether the malware still existed on the site’s systems and said that its sources have suggested that it is “likely foreign hackers have accessed the highest echelons of confidential material at the site”.
Responding to the claims, the UK government said that it has “no records or evidence to suggest that Sellafield Ltd networks have been successfully attacked by state actors in the way described by The Guardian”.
“Our monitoring systems are robust, and we have a high degree of confidence that no such malware exists on our system,” it said.
“This was confirmed to The Guardian well in advance of publication, along with rebuttals to a number of other inaccuracies in their reporting.
“We have asked The Guardian to provide evidence related to this alleged attack so we can investigate. They have failed to provide this.”
Additionally, The Guardian said that the data and contents of Sellafield were highly sensitive and potentially dangerous.
For one, Sellafield is home to the largest store of plutonium in the world, with 140 tonnes that it has purified over the years, which was intended for weapons development. However, while this helped with nuclear weapons development during the Cold War, the plutonium supply has built up as demand falls.
It is also a massive store of nuclear waste from power stations and weapons-testing programs.
On top of this, emergency planning documents outlining how the UK should proceed following a disaster or foreign attack are stored at the site.
While the site is physically secured, Sellafield’s cyber security is reportedly lacking. The nuclear site was placed into “special measures” after it failed to meet cyber security standards consistently, according to The Guardian speaking with the Office for Nuclear Regulation (ONR). The ONR is also reportedly looking to prosecute individual staff.
The Guardian also accused Sellafield senior staff of covering up and failing to disclose the alleged cyber attack; however, a spokesperson for the nuclear site declined to comment on this.
“Some specific matters are subject to ongoing investigations, so we are unable to comment further at this time,” the spokesperson told The Guardian.
However, there are documented examples of Sellafield’s cyber failings, leading to the site’s servers earning the name Voldemort because they were so sensitive and dangerous.
The site’s cyber security has been found to be poor on a number of occasions, first when external staff were able to access the nuclear site’s servers. This was then reported to the ONR.
One incident saw login credentials for IT systems for the site broadcast on Countryfile, a nature series on BBC One, after crew members were invited in while filming a piece on the nuclear industry and its effect on country communities.
Additionally, a report from 2012 seen by The Guardian warned of “critical security vulnerabilities”, saying that the site’s systems and resources were “not adequate to police the internal threat [from staff] … let alone react to a significant increase in external threat”.
The ONR’s latest report maintains that the site’s cyber security is still lacking, saying “improvements are required”, which has sparked calls for entirely new systems to be built.
Additionally, the ONR has prepared a notice of prosecution for Sellafield regarding its cyber security; however, it could only take action if it found “sufficient evidence to provide a realistic prospect of conviction”.
Once again, the UK government responded to The Guardian’s accusations of poor security at Sellafield.
“We take cyber security extremely seriously at Sellafield,” it said.
“All of our systems and servers have multiple layers of protection.
“Critical networks that enable us to operate safely are isolated from our general IT network, meaning an attack on our IT system would not penetrate these.”