A general view shows the Sellafield nuclear plant near Whitehaven in Britain, on 23 February, 2017. REUTERS
Hours after The Guardian report claimed that UK’s most hazardous nuclear site Sellafield has been hacked into by cyber groups closely linked to Russia and China, Britain on Monday said that it has no records or evidence to suggest that networks were compromised.
“Our monitoring systems are robust and we have a high degree of confidence that no such malware exists on our system,” Reuters quoted the government as saying.
“This was confirmed to the Guardian well in advance of publication, along with rebuttals to a number of other inaccuracies in their reporting,” the government added.
On Monday, The Guardian reported that its investigation has found that the astonishing disclosure and its potential effects have been consistently covered up by senior staff at the vast nuclear waste and decommissioning site.
The news outlet said that it has discovered that the authorities do not know exactly when the IT systems were first compromised. But sources said breaches were first detected as far back as 2015, when experts realised sleeper malware – software that can lurk and be used to spy or attack systems – had been embedded in Sellafield’s computer networks, the report added.
The report claimed that it is still not known if the malware has been eradicated. It may mean some of Sellafield’s most sensitive activities, such as moving radioactive waste, monitoring for leaks of dangerous material and checking for fires, have been compromised, it added.
Sources suggest it is likely foreign hackers have accessed the highest echelons of confidential material at the site, which sprawls across 6 sq km (2 sq miles) on the Cumbrian coast and is one of the most hazardous in the world.
The Guardian reported that Sellafield, which carries out nuclear fuel reprocessing, nuclear waste storage and decommissioning, had been hacked by cyber groups closely linked to Russia and China.
The full extent of any data loss and any ongoing risks to systems was made harder to quantify by Sellafield’s failure to alert nuclear regulators for several years, said the report, sources.
The revelations have emerged in Nuclear Leaks, a year-long Guardian investigation into cyber hacking, radioactive contamination and toxic workplace culture at Sellafield.
The site has the largest store of plutonium on the planet and is a sprawling rubbish dump for nuclear waste from weapons programmes and decades of atomic power generation.
Guarded by armed police, it also holds emergency planning documents to be used should the UK come under foreign attack or face disaster. Built more than 70 years ago and formerly known as Windscale, it made plutonium for nuclear weapons during the cold war and has taken in radioactive waste from other countries, including Italy and Sweden.
The Guardian said it can also disclose that Sellafield, which has more than 11,000 staff, was last year placed into a form of “special measures” for consistent failings on cybersecurity, according to sources at the Office for Nuclear Regulation (ONR) and the security services.
The watchdog is also believed to be preparing to prosecute individuals there for cyber failings.
The ONR confirmed Sellafield is failing to meet its cyber standards but declined to comment on the breaches, or claims of a “cover up”.
A spokesperson said: “Some specific matters are subject to ongoing investigations, so we are unable to comment further at this time.”
In a separate statement, Britain’s Office for Nuclear Regulation (ONR) also said it had seen no evidence that state actors had hacked its systems as the paper had described.
But the regulator said Sellafield was currently not meeting certain high standards of cyber security it required, adding that it had placed the plant under “significantly enhanced attention.
“Some specific matters are subject to an ongoing investigation process, so we are unable to comment further at this time,” the ONR said.
The Guardian report said the ONR was “believed” to be preparing to prosecute individuals at Sellafield for cyber failings.
With inputs from agencies