The UK's most hazardous nuclear site, Sellafield, has been hacked into by cyber groups closely linked to Russia and China, the Guardian can reveal.
Sources said breaches were first detected as far back as 2015, when experts realised sleeper malware - software that can lurk and be used to spy or attack systems - had been embedded in Sellafield's computer networks.
It may mean some of Sellafield's most sensitive activities, such as moving radioactive waste, monitoring for leaks of dangerous material and checking for fires, have been compromised.
The full extent of any data loss and any ongoing risks to systems was made harder to quantify by Sellafield's failure to alert nuclear regulators for several years, sources said.
The revelations have emerged in Nuclear Leaks, a year-long Guardian investigation into cyber hacking, radioactive contamination and toxic workplace culture at Sellafield.
The site has the largest store of plutonium on the planet and is a sprawling rubbish dump for nuclear waste from weapons programmes and decades of atomic power generation.
Sellafield mapGuarded by armed police, it also holds emergency planning documents to be used should the UK come under foreign attack or face disaster.
In a statement, Sellafield also declined to comment about its failure to tell regulators, instead focusing on the improvements it says it has made in recent years.
The problem of insecure servers at Sellafield was nicknamed Voldemort after the Harry Potter villain, according to a government official familiar with the ONR investigation and IT failings at the site, because it was so sensitive and dangerous.
The scale of the problem was only revealed when staff at an external site found that they could access Sellafield's servers and reported it to the ONR, according to an insider at the watchdog.
In one highly embarrassing incident last July, login details and passwords for secure IT systems were inadvertently broadcast on national TV by the BBC One nature series Countryfile, after crews were invited into the secure site for a piece on rural communities and the nuclear industry.
More than a decade later, staff at Sellafield, regulators and sources within the intelligence community believe systems at the vast nuclear waste dump are still not fit for purpose.
Security officials are also concerned that the ONR has been slow to share its intelligence on cyber failings at Sellafield because they indicate that its own scrutiny has been ineffective for more than a decade.
Such is the scale of cybersecurity concern, some officials believe entire new systems should be urgently built at Sellafield's nearby emergency control centre - a separate secure facility.
Among the highly sensitive documents stored at Sellafield are disaster manuals, plans that guide people through emergency nuclear protocols and what to do during a foreign attack on the UK. These documents include some of the learnings from a variety of sensitive operations, including Exercise Reassure in 2005 - and the regular Oscar exercises - which were aimed at testing the UK's ability to handle a nuclear disaster in Cumbria.
The ONR was so concerned by the fact that external sites could access Sellafield's servers, and an apparent cover-up by staff, that it interviewed teams under caution.
The Sellafield board held an inquiry into the problem in 2013 and the ONR warned that it would require more transparency on IT security.
ChartNuclear decommissioning, a large share of which is done at Sellafield, is one of the biggest drains on the UK government's annual business department budget.
Prior to publication, Sellafield and the ONR declined to answer a number of specific questions or say if Sellafield networks had been compromised by groups linked to Russia and China.
Following publication, they said they had no records to suggest Sellafield's networks had been successfully attacked by state actors in the way the Guardian described.
This Cyber News was published on www.theguardian.com. Publication date: Wed, 06 Dec 2023 01:29:05 +0000