Sellafield ‘is hacked by cyber groups linked to Russia and China’: Staff at UK’s most hazardous nuclear site are accused of ‘covering up’ IT breaches which date back ‘eight years’

Britain’s largest nuclear site has been hacked by cyber groups closely linked to Russia and China, according to reports. 

Sellafield in Cumbria is a former power station that now processes nuclear waste from across Britain dating back decades – a task that makes it the most hazardous location in the country. 

Officials are said to be unaware when the site was first hacked but came across sleeper malware, which can be used to spy or attack systems, as far back as 2015. 

It is not clear if this malware is still present in computer systems, with its existence allegedly covered up by senior staff, the Guardian reports.

Sources told the newspaper that they fear foreign operatives have accessed the highest levels of confidential material at the two-square-mile site. 

Sellafield said it had ‘no records or evidence’ that Sellafield had been ‘successfully attacked by state actors’.  

Officials do not known precisely when the site in Cumbria was compromised but said breaches were detected as long ago as 2015, according to reports

Working out the full extent of the hack and the threat it poses has been made harder by Sellafield’s failure to alert the nuclear regulator for several years, it is claimed. 

The facility is used to process nuclear waste from decades of atomic power generation and weapons programmes, and hosts the planet’s largest store of plutonium. 

It is owned by the government’s Nuclear Decommissioning Authority and has a 10,000-strong workforce.

The location is guarded by armed police, and is meant to be so secure that it holds emergency planning documents for use should the UK come under foreign attack or face disaster. 

Reports have previously described a ‘toxic culture’ of bullying, racism and sexual harassment at the plant which workers warned could lead to a ‘disaster’. 

One employee speaking in 2021 claimed bosses did nothing when he was ‘racially taunted’ by a driver going through the plant. A woman said a senior manager asked if she had performed sexual favours to get ahead in the job.

Another claimed a line manager called his autistic worker a ‘mong’, while a Muslim staffer said a trainer said the biggest threat was ‘bearded men in flip-flops’.

In a letter to bosses, they said: ‘He then singled me out and mockingly looked under the table at my shoes.’

Experts blasted the alleged behaviour as a ‘toxic culture’ and a ‘recipe for disaster’ due to the dangerous chemicals kept on site.  

is owned by the government's Nuclear Decommissioning Authority and has a 10,000-strong workforce

is owned by the government’s Nuclear Decommissioning Authority and has a 10,000-strong workforce 

A Sellafield Ltd spokesman said: “We have no records or evidence to suggest that Sellafield Ltd networks have been successfully attacked by state-actors in the way described by the Guardian.

“Our monitoring systems are robust and we have a high degree of confidence that no such malware exists on our system.

“We take cyber security extremely seriously at Sellafield.

“All of our systems and servers have multiple layers of protection.

“Critical networks that enable us to operate safely are isolated from our general IT network, meaning an attack on our IT system would not penetrate these.”

A spokesman from the Department for Energy Security and Net Zero said: ‘We expect the highest standards of safety and security as former nuclear sites are dismantled, and the regulator is clear that public safety is not compromised at Sellafield.

‘Many of the issues raised are historical and the regulator has for some time been working with Sellafield to ensure necessary improvements are implemented. We are expecting regular updates on how this progresses.

‘We have zero-tolerance of bullying, harassment and offensive behaviour in the workplace – we expect Sellafield and the CNC to operate on this basis, investigate allegations and take robust action.’