UK Govt Rebuts Claims of Cyberattack on Sellafield Nuclear Site

The British government has rebutted claims that the Sellafield nuclear site has been subject to cyberespionage by foreign hackers.

On Monday, The Guardian reported that Sellafield – which reprocesses nuclear fuel and carries out decommissioning and nuclear storage – had been hacked by cyber actors with ties to Russia and China.

The newspaper wrote Monday:

The UK’s most hazardous nuclear site, Sellafield, has been hacked into by cyber groups closely linked to Russia and China, the Guardian can reveal.

The Sellafield plant, formerly known as Windscale, was originally built in the 1950s to make plutonium for nuclear weapons, but was also designed to generate nuclear power, including from reprocessing nuclear waste. As of 2022, Sellafield does mostly the dirty work of nuclear waste processing and storage and nuclear decommissioning. The site, on the coast of Cumbria, England, is known to have taken in radioactive waste from other countries, including Italy and Sweden.

The Guardian’s report is part of the paper’s “Nuclear Leaks” investigation into sensitive topics around Sellafield, including radioactive contamination, toxic workplace culture, and cybersecurity inadequacies on the nuclear site.

Unnamed “sources” told the publication that foreign hackers in 2015 snuck “sleeper malware” into Sellafield’s IT network, allegedly to access classified data, including emergency planning documents to be used in case of disaster.

Sleeper malware typically lays dormant in the infected target system and is timed to go off either on a specific date or at the end of a countdown.

This creates a surprise attack when the victim least expects it, and makes it hard to identify where the threat came from or when the malware was initially deployed.

The Guardian said, citing sources at the Office for Nuclear Regulation (ONR) and the security services, that Sellafield had been placed into a “special measures” regime for consistent cybersecurity failings.

But according to the British government, there is no evidence to suggest that Sellafield was compromised by cyber actors.

“Our monitoring systems are robust and we have a high degree of confidence that no such malware exists on our system,” government officials told Reuters.

“This was confirmed to the Guardian well in advance of publication, along with rebuttals to a number of other inaccuracies in their reporting,” the officials added.

A spokesperson for the ONR also went on record to say the Office had seen no evidence that state actors had hacked Sellafield, but clarified that it, too, was investigating inadequacies around Sellafield: “Some specific matters are subject to an ongoing investigation process, so we are unable to comment further at this time.”

The ONR also confirmed that the nuclear site was indeed failing to meet cybersecurity levels required by today’s standards, and said it had placed the plant under “significantly enhanced attention.”