Sellafield Nuclear Site Hacked By Groups Linked To Russia and China

The UK's most hazardous nuclear site, Sellafield, has been hacked into by cyber groups closely linked to Russia and China, the Guardian can reveal. From the report: The astonishing disclosure and its potential effects have been consistently covered up by senior staff at the vast nuclear waste and decommissioning site, the investigation has found. The Guardian has discovered that the authorities do not know exactly when the IT systems were first compromised. But sources said breaches were first detected as far back as 2015, when experts realised sleeper malware -- software that can lurk and be used to spy or attack systems -- had been embedded in Sellafield's computer networks.

It is still not known if the malware has been eradicated. It may mean some of Sellafield's most sensitive activities, such as moving radioactive waste, monitoring for leaks of dangerous material and checking for fires, have been compromised. Sources suggest it is likely foreign hackers have accessed the highest echelons of confidential material at the site, which sprawls across 6 sq km (2 sq miles) on the Cumbrian coast and is one of the most hazardous in the world.

But How Did The Malware Get Into Their Systems?

[NoWayNoShapeNoForm]

I guess that Nigerian Prince email was really a clever Chinese hacker's booby trap, eh?

Re: But How Did The Malware Get Into Their Systems

[antus]

They said contractors could plug in usb sticks while not being watched. There is 1 ingress. They also said they're airgapped but I bet against nation state attackers they have a way to bridge the airgap. Maybe someone plugged 1 network in to another they shouldnt have, or maybe with sound or light or maybe something as braindead as compromised machines on both networks with wifi hardware under attacker control.

"Most hazardous"?

[mccalli]

I've read the article, but unfortunately it's not that good. The IT security practices seems to be conflated with general nuclear alarmism, which sadly is unsurprising given the article's source. The "most hazardous" comment, for instance, may or may not be true - there's simply no source or even definition for the statement whatsoever.

The IT security stuff sounds like the standard if somewhat depressing normality of utility organisations. It is absolutely worth of reporting on, and absolutely should be

Re:

[mccalli]

Can't edit so will respond to myself. Seems there's a video that might define 'most hazardous'? Don't know as doesn't play for me when I click on it.

Re:

[grahamsz]

It's kind of vague, it's certainly a leading contender for most hazardous - particularly if it were mismanaged. But it's not inherently dangerous, I went to the visitor center with my family a long time ago. Certainly staff all had dosimeter badges but that's hardly unusual in such a situation. Still i'm not sure how you can rank-order such hazards. Chernobyl is in europe and is almost certainly a more hazardous site. I can't think of any other sites that are automatically more hazardous but there are sure

Re:"Most hazardous"?

[jd]

It was grotesquely mismanaged for a very long time. It was operated as part of Britain's nuclear weapons program. Sellafield was a reprocessing plant where they obtained plutonium. It was a first generation plant, so basically none of the design errors had been ironed out.

There were also nuclear reactors there. The original reactors were basically graphite blocks into which you placed the fuel rods. One of these caught fire in the 1950s, causing widespread contamination of radioactive caesium. It took the engineers a long time to detect the fire.

Wikipedia says: Between 1950 and 2000, there were 21 serious incidents or accidents involving off-site radiological releases that warranted a rating on the International Nuclear Event Scale, one at level 5, five at level 4 and fifteen at level 3.

Wikipedia also says there's 200kg of plutonium in the Irish Sea. Since it requires between 4-8kg of plutonium to make a nuclear bomb, this could be considered something of a problem. Although you'd need to dredge up a lot of sediment to do anything with, and the UK navy would probably have paid a visit by then.

Sellafield is a great example of how to not build a nuclear site. It's primitive, it leaks waste, it's poorly maintained, and it's not particularly reliable. But the site is from the late 1940s and the military weren't interested in minimising cost per watt of power generated. They were interested in maximising plutonium output.

Re:

[Firethorn]

Like the US nuclear weapons program, they weren't all that worried about safety or environmentalism either.

The differences between our nuclear weapons programs and power generation is so huge that I don't put them in the same bucket. Shit that the weapon side did would have never flown for power.

Re:

[grahamsz]

Sure, but it's not atypical for sites from that period. US sites from the 40s and 50s are pretty bad, russian sites are probably worse, other british sites are quite poor. I really think the scale of sellafield, the fact that it's operated for so long and the comingling of civil and military goals make the mess and risk more concentrated, but I doubt anyone doing nuclear in that period did a better job

Re:

[thegarbz]

US sites from the 40s and 50s are pretty bad, russian sites are probably worse

No one is comparing anything to something outside of the UK. Stick to UK based facilities. Some are bad, but that doesn't make Stellafield less of the "most hazardous".

Re:

[bugs2squash]

I'm sure the nuclear alarmism juices the story a bit, but really it does seem to me to be more critical to monitor for leaks and fires etc. when we're talking about the biggest store of plutonium on the planet. Maybe some alarm is justified in this case.

Re:"Most hazardous"?

[jd]

Wikipedia sayeth: Between 1950 and 2000, there were 21 serious incidents or accidents involving off-site radiological releases that warranted a rating on the International Nuclear Event Scale, one at level 5, five at level 4 and fifteen at level 3. Additionally, during the 1950s and 1960s there were protracted periods of known, deliberate discharges to the atmosphere of plutonium and irradiated uranium oxide particulates.

The Guardian sayeth: At its height, workers at Sellafield were advised not to have children, while bosses at the Cumbrian nuclear complex even proposed establishing a sperm bank or calling for "radiation volunteers" from among older workers in order to reduce levels of exposure for workers of child-bearing age.

It is important to note that Windscale/Sellafield was built in the late 1940s as a military facility for obtaining plutonium for the weapons program. It was a first generation recycling facility. Nuclear recycling didn't stop until July 2022. It is unclear from any of the articles I can find as to what upgrades the recycling had, beyond basic repairs, between the 1940s and 2022.

In other words, it's about as far from a civilian Gen4+ reactor built to modern safety standards for civilian use as you could possibly get and still be on the same planet. As such, it's not a useful data point other than as a demonstration of why nuclear safety standards have to be high and why nuclear has to be run sensibly rather than on the cheap.

Re:

[AmiMoJo]

The "recycling" mainly consisted of throwing nuclear waste into pools, some of which were uncovered. Occasionally scaring away the birds that would swoop in and pick up contaminated matter from the surface of the tanks was one of the jobs performed at the site.

It's basically a nuclear waste dump. Impossible to clean up, a problem nobody knows how to solve. Everyone is just trying to ignore it while the waste and storage facilities decay, until they become someone else's problem.

Re:"Most hazardous"?

[jd]

Workers there are advised not to have children, and fishing in that part of the Irish Sea has been banned ever since it was discovered that the fish have more plutonium than even universities are permitted to handle.

True, there may be plenty of areas that are more hazardous, but if you wander up and down the mud flats with a geiger counter, you'll find plenty of hotspots of plutonium, uranium, and americium.

Please bear in mind that Sellafield is not a typical nuclear site. It was a reprocessing plant that also had nuclear reactors, although these had been shut down after one had caught fire. Its primary function was the extraction and manufacture of plutonium usable by Britain's nuclear weapons program. It was a military site, not a civilian site, and the military took shortcuts.

It was earmarked for closure, if I remember rightly, because they couldn't seal the low level waste ponds properly. They kept discharging illegally into the Irish Sea.

Re:

[AmiMoJo]

The UK was scrambling to become a nuclear power after WW2. We had an agreement with the United States, where we would supply knowledge, scientists, and material, in exchange for sharing nuclear weapon research so we could build our own.

The US reneged on that deal, so we had to make our own from scratch. Windscale, as it was known before being renamed Sellafield, was built primarily to produce weapons grade material for bombs. There was a nasty fire that could have been a major nuclear disaster if not for th

Armageddon Avoidance 101

[Tablizer]

Dont! Hook! Nuke! Shit! To! The! Internet!

Re:Armageddon Avoidance 101

[jd]

It's not just any nuke shit, either. It's where Britain used to recycle nuclear waste and extract plutonium for Britain's nuclear weapons. They actually extracted so much plutonium that they had to illegally dump some. There's 200kg of it in the Irish Sea from Sellafield.

Windscale!

[TechyImmigrant]

A nuclear disaster so good they changed the name to Sellafield so we would forget.

Re:

[93 Escort Wagon]

At first glance I read "Seinfeld Nuclear Site" - which would've meant the reactor about nothing.

Re:

[AmiMoJo]

We got really lucky with Windscale. They were originally not going to fit filters to the chimneys, but one man insisted and those filters prevented the release of a huge amount of additional radioactive material when it caught fire.

Re:

[TechyImmigrant]

We got really lucky with Windscale. They were originally not going to fit filters to the chimneys, but one man insisted and those filters prevented the release of a huge amount of additional radioactive material when it caught fire.

Cockroft's Follies.

They're removing them now : https://www.world-nuclear-news... [world-nuclear-news.org]

Re:

[HiThere]

The first, obvious, rule is don't allow anything unmaintained to access hte internet.
The second, obvious, rule is don't put any command and control operations on the internet.
The third, obvious, rule is don't put anything that needs to be secure on the internet.

If they just followed those rules, most sites would be secure. Of course, rule 3 would prevent commercial exchanges. But there's no reason a nuclear site shouldn't follow it.

Why does a nuclear anything have net access?

[iAmWaySmarterThanYou]

Anything important should be on a private air gapped network.

This is normal common everyday practice at the DOE, for example, who are responsible for US nuclear weapons (and a bunch of other scary shit).

When I worked at $secretplace for a while, we had 2 computers. One for fucking around on public net to read news, email the family about stupid shit, etc, and our real work computer which was 100% air gapped, did not have WiFi, all usb and other data ports were removed or burned out by security IT before we

Wasn't me !

[Growlley]

I only wokred on the stores inventory system in Cobol!