Operator of Sellafield nuclear facility denies hacking claims

Sellafield Ltd, the Nuclear Decomissioning Authority (NDA)-backed organisation responsible for winding up the controversial Sellafield facility in Cumbria – the scene of the UK’s worst ever nuclear accident in 1957 – has denied allegations that its IT networks have been comprehensively compromised by both Chinese and Russian threat actors, deploying so-called sleeper malware that lay undetected on its systems for years to conduct espionage.

Earlier this week, the Guardian newspaper published the results of a lengthy investigation in which it accused the organisation’s senior management of having “consistently covered up” the scale of the intrusions, which it is claimed date back to 2015.

The report alleged that the extent of the supposed breach only came to light when workers at other sites found they were able to access Sellafield’s systems remotely and escalated to the Office for Nuclear Regulation (ONR). It said an insider had described Sellafield’s server network as “fundamentally insecure”, and highlighted other concerns including outside contractors using USB memory sticks at the site and an incident in which user credentials were inadvertently filmed and broadcast by a BBC camera crew.

A spokesperson for Sellafield Ltd said: “We have no records or evidence to suggest that Sellafield Ltd networks have been successfully attacked by state-actors in the way described by the Guardian. Our monitoring systems are robust and we have a high degree of confidence that no such malware exists on our system.

“We take cyber security extremely seriously at Sellafield. All of our systems and servers have multiple layers of protection…Critical networks that enable us to operate safely are isolated from our general IT network, meaning an attack on our IT system would not penetrate these,” they added.

However, this is not the first time that evidence of cyber intrusions affecting Sellafield have come to light. In 2021, for example, the Information Commissioner’s Office (ICO) ruled against the organisation over data breach offences, although these related to an employment tribunal and not critical information on the facility, while Private Eye has…