Operator of Sellafield nuclear facility denies hacking claims

Sellafield Ltd, the Nuclear Decomissioning Authority (NDA)-backed organisation responsible for winding up the controversial Sellafield facility in Cumbria – the scene of the UK’s worst ever nuclear accident in 1957 – has denied allegations that its IT networks have been comprehensively compromised by both Chinese and Russian threat actors, deploying so-called sleeper malware that lay undetected on its systems for years to conduct espionage.

Earlier this week, the Guardian newspaper published the results of a lengthy investigation in which it accused the organisation’s senior management of having “consistently covered up” the scale of the intrusions, which it is claimed date back to 2015.

The report alleged that the extent of the supposed breach only came to light when workers at other sites found they were able to access Sellafield’s systems remotely and escalated to the Office for Nuclear Regulation (ONR). It said an insider had described Sellafield’s server network as “fundamentally insecure”, and highlighted other concerns including outside contractors using USB memory sticks at the site and an incident in which user credentials were inadvertently filmed and broadcast by a BBC camera crew.

A spokesperson for Sellafield Ltd said: “We have no records or evidence to suggest that Sellafield Ltd networks have been successfully attacked by state-actors in the way described by the Guardian. Our monitoring systems are robust and we have a high degree of confidence that no such malware exists on our system.

“We take cyber security extremely seriously at Sellafield. All of our systems and servers have multiple layers of protection…Critical networks that enable us to operate safely are isolated from our general IT network, meaning an attack on our IT system would not penetrate these,” they added.

However, this is not the first time that evidence of cyber intrusions affecting Sellafield have come to light. In 2021, for example, the Information Commissioner’s Office (ICO) ruled against the organisation over data breach offences, although these related to an employment tribunal and not critical information on the facility, while Private Eye has separately alleged that staff were made to use personal devices to handle sensitive material.

Earlier this year, Computer Weekly reported on how the local authority in which the facility lies, Cumberland Council – until recently Copeland Borough Council – which was hit by the 2017 WannaCry incident, still did not know what data was stolen by the attackers or whether any information on Sellafield was compromised.

A council source revealed that the local authorities held extensive documentation on Sellafield and described the councils as a potential “Achilles heel” for the nuclear site, adding that senior managers “still don’t know” what data may have been compromised. Responding to this, a spokesperson for Sellafield and the Nuclear Decommissioning Authority said there was “no reason to believe” data relating to Sellafield was compromised by the North Korea-backed WannaCry hackers.

Sellafield also remains under special measures from the ONR, which in its most recent annual report said that the organisation had made substantial progress towards improving its cyber resilience, but stopped short of relaxing its oversight. The Guardian claimed that the ONR is now preparing to prosecute some individuals at Sellafield.

Fergal Lyons of Centripetal, a threat intelligence specialist said that, if shown to be accurate, the lapse in security measures at Sellafield represented a “concerning oversight”, adding that it was alarming that this had gone unnoticed, particularly by the ONR, for so long.

“This situation underscores the daunting task of safeguarding any high-value facility under constant siege by assailants globally,” he said. “Addressing these threats requires a deep dive into identifying and understanding these assailants – where they originate and who they are. It is important to note that in over 95% of cyber attacks globally, there existed some form of threat intelligence that, if leveraged effectively, could have mitigated the attack’s devastating impact. 

“Conventional cyber security defences are failing on multiple fronts, as is evident in the surge of ransomware attacks and data breaches, signalling the need for an industry-wide re-evaluation of our existing defensive strategies."

EasyDMARC CEO and co-founder, Gerasim Hovhannisyan, added: “Following confirmation from the ONR that Sellafield is failing to meet its cyber standards, it is clear that authorities at local and national levels simply aren’t prioritising cyber security to the level they should and are potentially underestimating the significant impacts it can have on public safety. 

“Secondly, the suggestion that the vulnerabilities exploited by cyber criminals could go back as far as 2015 suggests a dangerous lack of awareness from a people, process and technology perspective. The importance of immediately responding to a breach and following a clear, predetermined incident response plan cannot be understated, especially in the case of critical infrastructure.”