Sellafield nuclear site hacked by groups linked to Russia and China

The UK’s most hazardous nuclear site, Sellafield, has been hacked into by cyber groups closely linked to Russia and China, the Guardian can reveal.

The astonishing disclosure and its potential effects have been consistently covered up by senior staff at the vast nuclear waste and decommissioning site, the investigation has found.

The Guardian has discovered that the authorities do not know exactly when the IT systems were first compromised. But sources said breaches were first detected as far back as 2015, when experts realised sleeper malware – software that can lurk and be used to spy or attack systems – had been embedded in Sellafield’s computer networks.

It is still not known if the malware has been eradicated. It may mean some of Sellafield’s most sensitive activities, such as moving radioactive waste, monitoring for leaks of dangerous material and checking for fires, have been compromised.

Sources suggest it is likely foreign hackers have accessed the highest echelons of confidential material at the site, which sprawls across 6 sq km (2 sq miles) on the Cumbrian coast and is one of the most hazardous in the world.

The full extent of any data loss and any ongoing risks to systems was made harder to quantify by Sellafield’s failure to alert nuclear regulators for several years, sources said.

The revelations have emerged in Nuclear Leaks, a year-long Guardian investigation into cyber hacking, radioactive contamination and toxic workplace culture at Sellafield.

The site has the largest store of plutonium on the planet and is a sprawling rubbish dump for nuclear waste from weapons programmes and decades of atomic power generation.

Guarded by armed police, it also holds emergency planning documents to be used should the UK come under foreign attack or face disaster. Built more than 70 years ago and formerly known as Windscale, it made plutonium for nuclear weapons during the cold war and has taken in radioactive waste from other countries, including Italy and Sweden.

The Guardian can also disclose that Sellafield, which has more than 11,000 staff, was last year placed into a form of “special measures” for consistent failings on cybersecurity, according to sources at the Office for Nuclear Regulation (ONR) and the security services.

The watchdog is also believed to be preparing to prosecute individuals there for cyber failings.

The ONR confirmed Sellafield is failing to meet its cyber standards but declined to comment on the breaches, or claims of a “cover up”.

A spokesperson said: “Some specific matters are subject to ongoing investigations, so we are unable to comment further at this time.”

In a statement, Sellafield also declined to comment about its failure to tell regulators, instead focusing on the improvements it says it has made in recent years.

Labour’s shadow secretary of state for energy security and net zero, Ed Miliband, said it was a “very concerning report about one of our most sensitive pieces of energy infrastructure”.

“It raises allegations that must be treated with the utmost seriousness by government,” he said.

“The government has a responsibility to say when it first knew of these allegations, what action it and the regulator took and to provide assurances about the protection of our national security.”

The problem of insecure servers at Sellafield was nicknamed Voldemort after the Harry Potter villain, according to a government official familiar with the ONR investigation and IT failings at the site, because it was so sensitive and dangerous. It involved highly sensitive data that could be exploited by Britain’s enemies. Sellafield’s server network was characterised by the official as “fundamentally insecure”.

The scale of the problem was only revealed when staff at an external site found that they could access Sellafield’s servers and reported it to the ONR, according to an insider at the watchdog.

Other concerns include external contractors being able to plug memory sticks into the system while unsupervised.

In one highly embarrassing incident last July, login details and passwords for secure IT systems were inadvertently broadcast on national TV by the BBC One nature series Countryfile, after crews were invited into the secure site for a piece on rural communities and the nuclear industry.

The ONR has prepared a notice of prosecution for Sellafield on cybersecurity – a form of enforcement action it can only take if it believes there is “sufficient evidence to provide a realistic prospect of conviction”.

Cyber problems have been known by senior figures at the nuclear site for at least a decade, according to a report dated from 2012, seen by the Guardian, which warned there were “critical security vulnerabilities” that needed to be addressed urgently.

It found that security resources at the time were “not adequate to police the internal threat [from staff] … let alone react to a significant increase in external threat”.

More than a decade later, staff at Sellafield, regulators and sources within the intelligence community believe systems at the vast nuclear waste dump are still not fit for purpose. They also believe that there was a deliberate effort by senior leaders to conceal the scale of the problems posed by cybersecurity problems at the site from security officials tasked with testing the UK’s vulnerability to attack in recent years. This is the subject of potential prosecution.

Security officials are also concerned that the ONR has been slow to share its intelligence on cyber failings at Sellafield because they indicate that its own scrutiny has been ineffective for more than a decade.

The latest annual report from the ONR stated that “improvements are required” from Sellafield and other sites in order to address cybersecurity risks. It also confirmed that the site was in “significantly enhanced attention” for this activity.

The ONR said it had found cybersecurity “shortfalls” during its inspections and noted that it had taken “enforcement action” as a result.

Such is the scale of cybersecurity concern, some officials believe entire new systems should be urgently built at Sellafield’s nearby emergency control centre – a separate secure facility.

Among the highly sensitive documents stored at Sellafield are disaster manuals, plans that guide people through emergency nuclear protocols and what to do during a foreign attack on the UK.

These documents include some of the learnings from a variety of sensitive operations, including Exercise Reassure in 2005 – and the regular Oscar exercises – which were aimed at testing the UK’s ability to handle a nuclear disaster in Cumbria.

The ONR was so concerned by the fact that external sites could access Sellafield’s servers, and an apparent cover-up by staff, that it interviewed teams under caution. The Sellafield board held an inquiry into the problem in 2013 and the ONR warned that it would require more transparency on IT security.

Cyber-attack and cyber espionage by Russia and China are among the biggest threats to the UK, according to security officials. The most recent National Risk Register, an official document that outlines the key hazards the UK could face, includes a cyber-attack on civil nuclear infrastructure.

Attackers from hostile states have targeted allies in the “Five Eyes” intelligence sharing community in recent years. The US has been attacked, with its government agencies, including its energy department, targeted via file-transfer software in June this year.

The UK’s cyber wing of GCHQ, which has offices in central London and is part of the domestic intelligence network with headquarters in Cheltenham in Gloucestershire, has warned of a heightened risk of cyber-attack on critical national infrastructure from Russia and China.

Growing government concern over Chinese involvement in UK critical national infrastructure has resulted in the Chinese state-owned energy company CGN being removed from the Sizewell C nuclear project in Suffolk and Huawei products being stripped from the heart of the telecommunications network in recent years.

That has reversed a spell of close Anglo-Sino relations, which culminated in the then prime minister, David Cameron, hailing a “golden era” between the countries and drinking beer with the Chinese premier, Xi Jinping, in a Buckinghamshire pub in 2015.

Rishi Sunak’s government has championed expanding the country’s nuclear industry after the energy crisis, picking up where his predecessor Boris Johnson left off. Earlier this year, the then energy secretary, Grant Shapps, launched Great British Nuclear, a body designed to provide new nuclear power plants. A generation of new nuclear projects will ultimately require an expansion of Britain’s decommissioning activities.

Nuclear decommissioning, a large share of which is done at Sellafield, is one of the biggest drains on the UK government’s annual business department budget. The site costs about £2.5bn a year to operate. Decommissioning is such a huge, long-term bill that it was examined as a “fiscal risk” to the UK’s economic health by the spending watchdog, the Office for Budget Responsibility. It is estimated it could cost as much as £263bn to manage the legacy of the UK’s nuclear energy and weaponry industries.

This figure shifts wildly depending on how future cashflow is calculated, and the OBR has warned that the long-term costs of Sellafield could vary by as much as minus 50% to plus 300%.

A Sellafield spokesperson said: “We take cybersecurity extremely seriously at Sellafield. All of our systems and servers have multiple layers of protection.

“Critical networks that enable us to operate safely are isolated from our general IT network, meaning an attack on our IT system would not penetrate these.

“Over the past 10 years we have evolved to meet the challenges of the modern world, including a greater focus on cybersecurity.

“We’re working closely with our regulator. As a result of the progress we’ve made, we have an agreed route to step down from ‘significantly enhanced’ regulation.”

An ONR spokesperson said: “Sellafield Ltd is currently not meeting the high standards that we require in cybersecurity, which is why we have placed them under significantly enhanced attention.

“Some specific matters are subject to ongoing investigations, so we are unable to comment further at this time.”

Prior to publication, Sellafield and the ONR declined to answer a number of specific questions or say if Sellafield networks had been compromised by groups linked to Russia and China. Following publication, they said they had no records to suggest Sellafield’s networks had been successfully attacked by state actors in the way the Guardian described.

A spokesperson from the Department for Energy Security and Net Zero said: “We expect the highest standards of safety and security as former nuclear sites are dismantled, and the regulator is clear that public safety is not compromised at Sellafield.

“Many of the issues raised are historical and the regulator has for some time been working with Sellafield to ensure necessary improvements are implemented. We are expecting regular updates on how this progresses.”