Sellafield is Europe’s largest facility for the storage of nuclear waste from power generation and weapons programs, and it has long been considered the region’s most at-risk and potentially dangerous nuclear site following years of infrastructure decay. While concerns about its physical safety date back decades, new reporting from The Guardian indicates that hacker groups have long been taking advantage of rot in its cyber defense program as well.
Internal sources and documents seen by Guardian reporters indicate that advanced persistent threat (APT) hacker groups working for Russia and China have likely had sleeper malware spread throughout the nuclear site’s IT systems since at least 2015. Not only are officials not sure if some of this malware is still present, senior staff may have covered up breaches and failed to report incidents to UK regulators. The Office for Nuclear Regulation (ONR) reportedly placed Sellafield in “special measures” status in 2022 due to its record of cybersecurity failings, and the agency may be preparing to prosecute some of those staff members.
Key UK nuclear site struggling with multiple serious issues
From its sources, the Guardian is reporting that incursions on the nuclear site by hacker groups have been “consistently” covered up by senior staff.
These incidents are reportedly documented back to at least 2015, but could have taken place even before then. 2015 was the point at which sleeper malware was first found in the nuclear site’s systems, something that has apparently regularly recurred since then to the point that no one can be sure if it is currently still infected. Staff have reportedly failed to notify nuclear regulators of these sorts of issues for “several years” now.
Part of the issue is that it is apparently multiple nation-state APT hacker groups feasting on the nuclear site’s security failings, at minimum those of Russia and China. The sources say the hackers likely have accessed the highest levels of confidential files at the site; this would include reports on fires or leaks of dangerous material, movements of radioactive waste and possible details about weapons programs that could be gleaned from the transport of the hazardous waste they generate, as well as emergency plans for the wake of a nuclear attack by a foreign power. The site not only stores the UK’s waste, but has also taken in waste from other EU countries such as Italy and Sweden.
Internal reports at Sellafield summarized the ongoing cybersecurity problems as “Voldemort” and had at least one official describe it as “fundamentally insecure.” It also appears to have taken staff at the nuclear site years to understand the scope of the problem, only becoming clued in once staff at an external site found it possible to gain unauthorized access to the servers. External contractors were also reportedly allowed to plug memory sticks into internal computer systems without supervision.
While most of this is internal information that is newly available, the general public has had some inkling of Sellafield security failures for some time now. The nuclear site was lambasted for a 2022 incident in which reporters doing a piece on-site happened to capture a workstation with admin credentials posted on a sticker, something that was inadvertently broadcast on national television. Internal reports indicate serious concerns about the site’s security since at least 2012, with the central issue being a sustained lack of personnel to deal with both internal and external threats.
In response to the Guardian’s report, Sellafield issued a statement saying that it takes cybersecurity very seriously and that it is working closely with regulators. It did not address the alleged actions of any of the hacker groups. ONR has said that it has seen no evidence of foreign breach of the systems or the alleged malware, but would not comment on the “special measures” the nuclear site has allegedly been put under.
Hacker groups far from Sellafield’s only problem
The story about the hacker groups is just part of an ongoing series by the Guardian called “Nuclear Leaks,” which also focuses on workplace issues at the nuclear site and the possibility of contamination from physical degradation. The site has been struggling with that latter point for some time as well, with a waste storage silo that has been developing leaks since the 1970s projected to continue to be unstable until 2050 and to potentially threaten groundwater if deterioration is bad enough.
Without official confirmation, it is difficult to know exactly how far the hacker groups have penetrated into the UK’s nuclear waste disposal infrastructure. But the situation is far from unheard of, following reports that similar hacker groups have made similar progress into US utilities that support domestic military bases. Oz Alashe, CEO of CybSafe, cautions that this is a climate in which the emphasis should be on reassuring stakeholders of safety: “Rather than reacting with blame when incidents occur, organisations should focus on equipping employees to uphold security standards as part of their regular workflow. This prevents the instinct to hide lapses that can leave systems vulnerable. By proactively engaging all staff in recognising phishing attempts, following protocol with hardware, and speaking up about suspicious activity, employees can become an organisation’s best line of defence. Pair this with approachable, non-punitive reporting channels, and organisations can address vulnerabilities before hackers exploit them.”
“Cybersecurity is no longer just an IT issue, but an organisation-wide responsibility. Fostering an open, collaborative security culture makes it easier for workers to protect vital systems and important national infrastructure,” added Alashe.
Rosa Smothers, former CIA cyber threat, analyst and current senior vice president at KnowBe4, provides more technical insights into what might be allowing hacker groups to run wild at the nuclear site: “Sellafield has exhibited a stunning lack of operational security awareness dating back to at least 2013. Industrial Control Systems often become outdated on networks, leading to a scarcity of security updates. Consequently, companies hesitate to replace these obsolete systems with more current hardware and software which enables dormant malware embeds. The revelation that external drives were left unsecured, allowing unauthorized users to plug in USB drives at any time, is particularly troubling, especially considering the risks associated with such vulnerabilities – they’ve not learned any lessons a full decade after an Iranian nuclear facility was reportedly compromised using USB thumb drives.”
“Of particular concern is the fact that Sellafield houses the largest store of plutonium globally. Nation-states with an interest in or an existing nuclear program could exploit this reckless security posture. For example, probing the computer network to ascertain if access allows for nefarious alterations to their nuclear waste monitoring system, such as manipulating nuclear sensors to report safe radiation levels instead of accurate, potentially hazardous readings,” noted Smothers.