The UK’s most hazardous nuclear site, Sellafield, has been hacked into by cyber groups closely linked to Russia and China, the Guardian can reveal.
The astonishing disclosure and its potential effects have been consistently covered up by senior staff at the vast nuclear waste and decommissioning site, the investigation has found.
The Guardian has discovered that the authorities do not know exactly when the IT systems were first compromised. But sources said breaches were first detected as far back as 2015 when experts realized sleeper malware – software that can lurk and be used to spy or attack systems – had been embedded in Sellafield’s computer networks.
It is still not known if the malware has been eradicated. It may mean some of Sellafield’s most sensitive activities, such as moving radioactive waste, monitoring for leaks of dangerous material, and checking for fires, have been compromised.
Sources suggest it is likely foreign hackers have accessed the highest echelons of confidential material at the site, which sprawls across 6 sq km (2 sq miles) on the Cumbrian coast and is one of the most hazardous in the world.
The full extent of any data loss and any ongoing risks to systems was made harder to quantify by Sellafield’s failure to alert nuclear regulators for several years, sources said.
The revelations have emerged in Nuclear Leaks, a year-long Guardian investigation into cyber hacking, radioactive contamination and toxic workplace culture at Sellafield.
The site has the largest store of plutonium on the planet and is a sprawling rubbish dump for nuclear waste from weapons programmes and decades of atomic power generation.
Guarded by armed police, it also holds emergency planning documents to be used should the UK come under foreign attack or face disaster.
Built more than 70 years ago and formerly known as Windscale, it made plutonium for nuclear weapons during the cold war and has taken in radioactive waste from other countries, including Italy and Sweden.
The Guardian can also disclose that Sellafield, which has more than 11,000 staff, was last year placed into a form of “special measures” for consistent failings on cybersecurity, according to sources at the Office for Nuclear Regulation (ONR) and the security services.
The watchdog is also believed to be preparing to prosecute individuals there for cyber failings.
