Space Cybersecurity: The Attack Surface Above Us
Satellites underpin global infrastructure yet remain among the most exposed digital targets
Space systems are among the most critical and least defended digital infrastructure on Earth. Satellites underpin GPS navigation, financial transaction timing, weather forecasting, military communications, and Earth observation — yet most were designed with security as an afterthought, operate on decades-old firmware that cannot be patched remotely, and communicate over radio frequency links that are inherently exposed to interception, jamming, and spoofing. The attack surface spans three segments — ground, link, and space — each with distinct vulnerabilities. As the orbital population grows past 15,000 active satellites and commercial dependence deepens, the gap between threat sophistication and defensive capability is widening.
Why It Matters
On February 24, 2022, hours before Russian armour crossed into Ukraine, a cyberattack wiped tens of thousands of Viasat KA-SAT satellite modems across Europe. Wind turbines in Germany lost remote monitoring. Internet access went dark across multiple countries. The attack exploited a misconfigured VPN appliance in a ground station in Turin — not the satellite itself. It was a reminder that space systems fail terrestrially, and that the consequences cascade far beyond the intended target.
Viasat published a detailed incident overview confirming that attackers exploited a misconfigured VPN appliance to push destructive commands via the AcidRain wiper malware. SentinelOne independently identified AcidRain. Nearly 20 nations formally attributed the attack to Russia. See Viasat's KA-SAT incident report and SentinelOne's AcidRain analysis.
Three Segments, Three Attack Surfaces
Every satellite system is a distributed architecture with three segments, and each segment presents a distinct class of vulnerability.
The ground segment encompasses everything on Earth: mission control centres, ground stations, telemetry tracking and command (TT&C) facilities, user terminals, data processing pipelines, and the terrestrial networks connecting them. This is where most attacks happen. Ground infrastructure runs conventional IT — servers, VPNs, databases, operating systems — and inherits every vulnerability of conventional IT. The Viasat attack never touched the KA-SAT satellite. The attackers breached a VPN appliance at a Eutelsat-managed ground facility in northern Italy, gained access to the modem management system, and pushed destructive commands to overwrite flash memory on tens of thousands of SurfBeam2 modems. The satellite faithfully relayed the commands. It had no way of knowing they were malicious.
The link segment is the radio frequency communication between ground and space. Satellite links are broadcast by nature — electromagnetic radiation propagating through open space, receivable by anyone with a sufficiently capable antenna pointed in the right direction. Uplinks (ground to satellite) carry commands and data. Downlinks (satellite to ground) carry telemetry, payload data, and user traffic. Crosslinks (satellite to satellite) carry inter-satellite routing in constellation architectures. Each of these links is vulnerable to interception, jamming, and spoofing, with the specific threat depending on the link type, frequency band, signal power, and whether the link is encrypted.
The space segment is the satellite itself: the bus (power, propulsion, thermal control, attitude determination), the payload (sensors, transponders, processors), and the onboard computer running the flight software. Satellites operate in a uniquely hostile environment for cybersecurity. Physical access for remediation is impossible. Computational resources are constrained. Radiation-hardened processors are generations behind their terrestrial equivalents. Firmware updates, where possible at all, must be transmitted over the link segment — which is itself an attack surface. And the operational lifespan of many satellites exceeds 15 years, meaning systems launched with the security posture of 2010 must survive the threat landscape of 2025.
The Viasat Attack: Anatomy of a Space Cyber Operation
The KA-SAT attack remains the most thoroughly documented cyberattack on a satellite system and is worth examining in detail because it illustrates how each segment interacts in a real-world attack chain.
The timeline began on the evening of February 23, 2022. Attackers — subsequently attributed by the US, EU, and Five Eyes nations to Russian military intelligence — targeted a VPN appliance used by Viasat administrators to access management servers at a Skylogic facility in Turin, Italy. Skylogic, a subsidiary of Eutelsat, operated the consumer-oriented partition of the KA-SAT network under a transition agreement following Viasat's acquisition of Euro Broadband Infrastructure.
The attackers exploited a misconfiguration in the VPN — not a zero-day, not a novel technique, but a configuration error in a Fortinet appliance of the kind that has appeared in CISA advisories for years. Once inside the management network, they had access to systems that could issue commands to the subscriber modems across the KA-SAT consumer partition.
The specific vulnerability exploited in the Viasat attack — on the TR-069 protocol used for remote modem management — had been publicly disclosed in Fortinet VPN appliances since 2019 (CVE-2018-13379 and related). Russian threat actors had used this same vulnerability class in multiple prior campaigns. The attack vector was known, documented, and patchable. See CISA's Known Exploited Vulnerabilities Catalog.
At approximately 03:02 UTC on February 24 — the same morning Russian forces crossed the Ukrainian border — the attack executed in two phases. First, compromised modems within Ukraine began generating focused denial-of-service traffic against KA-SAT infrastructure, degrading service for legitimate users. As Viasat and Skylogic worked to isolate the malicious modems, the second phase deployed: destructive commands were pushed through the management system to overwrite flash memory on modems across the network. The modems did not need to be individually targeted. The management system had legitimate authority to push firmware and configuration changes to the entire fleet.
The result was that between 40,000 and 45,000 modems were rendered inoperable. They dropped off the network and did not attempt to reconnect. SentinelLabs subsequently identified the wiper malware as AcidRain, which shared developmental characteristics with VPNFilter — a 2018 campaign previously attributed by the FBI to Russian military intelligence.
The satellite itself was never compromised. The attack was entirely ground-segment — a conventional network intrusion that happened to traverse a space-based relay. This is the pattern that dominates real-world space cyber incidents: the satellite is the medium, not the target. The vulnerability is in the IT infrastructure that controls and communicates with it.
Link-Layer Attacks: Jamming, Spoofing, and Interception
While ground-segment intrusions account for most documented incidents, link-layer attacks represent the most asymmetric threat in space cybersecurity. The physics of RF communication create inherent vulnerabilities that cannot be fully mitigated through software.
Jamming is the simplest and most common link-layer attack. An adversary transmits RF energy on the same frequency as the target link, degrading the signal-to-noise ratio below the threshold required for reliable communication. Uplink jamming — transmitting toward the satellite — requires relatively high power because the jammer must overcome the free-space path loss to the satellite's altitude. Downlink jamming — transmitting toward the ground receiver — is easier because the jammer can operate from close proximity to the target terminal and needs only to overwhelm the much weaker signal arriving from orbit. GPS jamming is widespread: documented incidents include Russia jamming GPS signals across large areas of Ukraine, the Baltic states, and the eastern Mediterranean. Commercial GPS jammers are available for under $50, and their use by truck drivers evading fleet tracking systems has caused interference with aviation and maritime navigation systems.
The nonprofit C4ADS documented over 9,800 GPS spoofing incidents near Russian territory between 2016 and 2019 alone, affecting commercial aviation and maritime navigation. Since 2022, GPS interference in the Baltic region has become near-continuous, with Finland, Estonia, Latvia, and Lithuania all reporting sustained disruption to civilian aviation. The European Union Aviation Safety Agency (EASA) maintains an active advisory on GNSS outages in the region.
Spoofing is jamming's more dangerous cousin. Rather than drowning out the legitimate signal, a spoofing attack transmits a counterfeit signal that mimics the structure of the real one, causing the receiver to lock onto false data. GPS spoofing can feed receivers false position, velocity, and timing information. In 2013, researchers at the University of Texas at Austin demonstrated GPS spoofing of a superyacht's navigation system, causing it to deviate from its intended course without triggering alarms. Since then, GPS spoofing has been documented in the Black Sea, the Persian Gulf, and over conflict zones, affecting both civilian aviation and maritime traffic. The implications for Earth observation are direct: if the timing or position data embedded in a satellite's telemetry is spoofed, the geolocation of every pixel in the resulting imagery is wrong — and the error may be undetectable without independent verification.
Todd Humphreys' team at UT Austin's Radionavigation Laboratory conducted this demonstration aboard the White Rose of Drachs, a 65-metre yacht in the Mediterranean. The spoofer cost approximately $2,000 to build. The ship's navigation system accepted the counterfeit signal without alarm. Humphreys subsequently testified before Congress on GPS vulnerability. The research is documented in "Statement on the Vulnerability of Civil Unmanned Aerial Vehicles and Other Systems to Civil GPS Spoofing" (2012).
Interception is passive and therefore the hardest to detect. Satellite downlinks, particularly in legacy systems using unencrypted or weakly encrypted transponders, can be received by anyone with the right equipment. Commercial satellite TV piracy is the most familiar example, but the same principle applies to data downlinks from Earth observation satellites, communication intercepts from SATCOM systems, and telemetry snooping on unencrypted TT&C channels. The shift toward encrypted downlinks is well underway in military and high-security systems, but a significant proportion of commercial and scientific satellite communications remain unencrypted or use deprecated cryptographic standards.
A 2024 study by Ruben Santamarta (IOActive) analysing commercial satellite modem firmware found 16 vulnerabilities across nine devices from major manufacturers. These included insecure legacy protocols, unencrypted firmware update paths, exposed web interfaces, and physical debug ports. In several cases, encryption was available but disabled by default. The research was presented at Black Hat 2024.
On-Orbit Vulnerabilities
Attacks on the satellite itself — the space segment — are the least common but the most difficult to remediate. Once a satellite is compromised in orbit, the options are constrained by the same physics that made it hard to attack in the first place: limited bandwidth, intermittent contact windows, constrained processing power, and no possibility of physical intervention.
Firmware and flight software. Most satellite flight software runs on radiation-hardened processors that are several architectural generations behind terrestrial hardware. The RAD750, still widely used, is a single-core processor running at 200 MHz. Software is typically written in C or Ada, loaded before launch, and updated infrequently if at all. When updates are possible, they are transmitted via the command uplink — meaning the update mechanism is itself traversing an attackable link. If an adversary can inject commands on the uplink, they can potentially push malicious firmware. This is not theoretical: the classified CIA assessment leaked in 2023 indicated that China was developing capabilities to seize control of satellites by targeting their command channels.
The RAD750, manufactured by BAE Systems, costs approximately $200,000 per unit. It powers the Mars rovers Curiosity and Perseverance, the James Webb Space Telescope, and dozens of military and intelligence satellites. Its architectural ancestor is the PowerPC 750 from 1997. The newer RAD5545, based on a quad-core PowerPC e5500, runs at 466 MHz — still decades behind consumer hardware. Radiation hardening imposes a generational penalty that no amount of engineering budget can fully close.
Supply chain. The growing use of commercial off-the-shelf (COTS) components in satellite manufacturing — driven by cost pressure and the NewSpace industry's iteration speed — introduces the same supply chain risks that affect terrestrial systems. A compromised COTS component incorporated into a satellite bus or payload before launch is a vulnerability that cannot be patched from the ground. The shift to software-defined satellites, which allow mission parameters to be reconfigured in orbit, expands the attack surface further: the flexibility that makes a satellite adaptable also makes it reprogrammable by an adversary with sufficient access.
Side channels and physical effects. Satellites operate in an environment where certain physical attacks are possible that have no terrestrial equivalent. High-powered ground-based lasers can potentially blind or degrade optical sensors. Directed RF energy can induce faults in electronic systems. And the orbital environment itself — debris, radiation events, thermal cycling — creates failure modes that can mask or be masked by cyber intrusion. Distinguishing a cyberattack from a radiation-induced single-event upset is a non-trivial forensics problem when your target is moving at 7.8 kilometres per second and your diagnostic bandwidth is measured in kilobits.
Hack-A-Sat: When the Pentagon Invited the Hackers
The US Air Force's recognition that space cybersecurity required outside expertise led to one of the more unusual government programs in recent memory.
Hack-A-Sat, launched in 2020 as a collaboration between the Air Force Research Laboratory and Space Systems Command, is a capture-the-flag competition that tasks hacking teams with penetrating satellite systems. The early iterations used ground-based simulators and digital twins. In 2023, at DEF CON 31 in Las Vegas, the organisers made good on their founding promise: they launched Moonlighter, a purpose-built CubeSat, into low Earth orbit and invited five finalist teams — selected from over 700 competing in qualifications — to hack it live.
Three of the five teams successfully took control of Moonlighter during the competition, which required them to exploit the satellite's systems during intermittent contact windows as it orbited overhead. The winning team, mHACKeroni — a conglomeration of five Italian cyber research groups — navigated challenges including bypassing imaging restrictions and forcing the satellite to photograph ground targets of their choosing.
The winning team, mHACKeroni, is a conglomeration of five Italian academic and industry cyber research groups. Second place went to Poland Can Into Space (Polish researchers plus members from Ireland and Germany), and third to jmp fs:[rcx] (a combined US/UK team including Raytheon CODEX engineers and members of PFS, the original Hack-A-Sat inaugural winners). The prize pool was $100,000 ($50K / $30K / $20K). Challenges included bypassing imaging restrictions and forcing Moonlighter to photograph ground targets of the teams' choosing.
The existence of Hack-A-Sat is itself an indicator of the state of the field. The US military does not invest in multi-year programs to invite foreign nationals to hack its satellite architectures unless it has concluded that the vulnerability landscape is severe enough to warrant the exposure. When the organisers first approached satellite operators in 2020 about staging the contest on operational hardware, the response was uniformly negative. They had to build and launch their own satellite because no operator would risk the demonstration on a production asset.
The Regulatory Landscape
Space cybersecurity regulation is fragmented and evolving.
In the United States, the Department of Defense's Cybersecurity Risk Management Construct (CRMC) replaced the older Risk Management Framework (RMF) for military space programmes, but industry executives have publicly noted its limitations. Compliance with CRMC does not guarantee security — it guarantees compliance. The distinction matters.
The European Union incorporated space as critical infrastructure in the NIS2 directive, adopted in November 2022 — the first time space systems were explicitly classified as critical infrastructure under EU cyber legislation. Implementation across member states is ongoing, and the gap between directive and enforceable regulation remains wide.
NIST has published guidance relevant to space systems, including draft frameworks for satellite cybersecurity, but these remain advisory rather than mandatory for commercial operators.
The Space Information Sharing and Analysis Center (Space ISAC), modelled on similar ISACs in the financial and energy sectors, was established to facilitate threat intelligence sharing across the space industry. It reported a 118% increase in publicly reported space-related cyber incidents in the first eight months of 2025 compared to 2024, with the caveat that public reporting captures only a fraction of actual incidents.
The Space ISAC's count of roughly 117 publicly reported incidents through August 2025 represents only the visible surface. The CSIS 2025 Space Threat Assessment noted that many incidents are disclosed only by the attackers themselves — via screenshots or data dumps — with no confirmation from victims. Some claims may be exaggerated or fabricated for propaganda value. The true incident count is almost certainly higher, and the reliability of public reporting is itself a data quality problem.
The fundamental challenge is jurisdictional. Satellites are launched by entities in one country, operated from ground stations in another, serve customers in dozens more, and orbit through no sovereign territory. The attacker, the target, the victim, and the regulatory authority may all be in different jurisdictions. International consensus on space cybersecurity norms is at an early stage, and the pace of threat evolution is not waiting for treaties.
The Salt Typhoon Expansion
The Viasat attack demonstrated what a state-sponsored cyber operation against satellite infrastructure looks like during wartime. The Salt Typhoon campaign demonstrated that it happens during peacetime too.
Salt Typhoon, attributed to Chinese state-sponsored hackers, initially targeted US telecommunications providers — Verizon, AT&T, T-Mobile — compromising core network components in a campaign focused on intelligence collection. By mid-2025, the campaign had expanded into the satellite communications sector. Viasat confirmed in late 2025 that it had experienced unauthorised access linked to the campaign, though it reported no evidence of customer impact.
The expansion of Salt Typhoon from terrestrial telecommunications to satellite communications illustrates a structural reality: satellite ground segments are increasingly interconnected with, and dependent on, terrestrial telecom infrastructure. The boundaries between the two are porous. An attacker with persistent access to a major telecom provider's core network may discover paths into satellite communication systems that share interconnection points, peering arrangements, or management infrastructure.
This convergence means that space cybersecurity cannot be treated as a domain unto itself. The ground segment is terrestrial infrastructure, and it inherits the full threat landscape of terrestrial networks — including APT campaigns that did not initially target space systems at all.
What Defence Looks Like
The space cybersecurity community has converged on several principles, though implementation varies widely.
Zero trust architecture applied to space systems means that no component — ground terminal, satellite bus, payload processor, user equipment — is implicitly trusted. Every communication is authenticated. Every command is verified. Access is granted on the principle of least privilege. This is straightforward to state and extremely difficult to retrofit onto systems designed in an era when the space-ground link was considered inherently secure because the equipment to intercept it was expensive and rare.
Secure boot chains ensure that every stage of a satellite's boot process verifies the integrity of the next stage before executing it. If an attacker manages to modify flight software, a secure boot chain will detect the modification and either refuse to execute the compromised code or revert to a known-good state. This requires hardware root of trust — a cryptographic key embedded in silicon that cannot be modified after manufacture.
Cryptographic link protection addresses the inherent exposure of RF communications. Encrypted uplinks prevent command injection. Encrypted downlinks prevent interception. Authenticated commands prevent spoofing. The challenge is key management: distributing, rotating, and revoking cryptographic keys for satellites that may operate for decades with intermittent ground contact.
Resilience and redundancy acknowledge that prevention will eventually fail. Deloitte launched its Deloitte-1 satellite in March 2025 partly to test its Silent Shield cyber defence system — a technology designed not just to prevent intrusion but to maintain operations through an active attack. The premise is that a satellite must be able to detect compromise, isolate affected subsystems, and continue mission-critical functions even while under assault. This is the "fight through" capability that industry executives have emphasised: building systems that degrade gracefully rather than fail catastrophically.
Threat intelligence sharing through organisations like the Space ISAC addresses the collective action problem. Individual operators see only attacks against their own systems. Shared intelligence reveals patterns, campaigns, and threat actor behaviours that no single operator could identify alone.
The Asymmetry
The fundamental problem in space cybersecurity is asymmetric, and the asymmetry favours the attacker.
A satellite costs hundreds of millions of dollars to build and launch. A ground station represents years of infrastructure investment. The communications link is constrained by physics, power budgets, and orbital mechanics. Defending all of it requires securing every component across all three segments simultaneously.
An attacker needs one way in.
A misconfigured VPN appliance. An unpatched Fortinet instance. A COTS component with a known vulnerability that shipped before a CVE was published. A phishing email to a ground station operator. A $50 GPS jammer. The attack surface is vast, the defensive resources are finite, and the consequences of failure cascade through critical infrastructure that billions of people depend on without knowing it.
The ASCEND conference survey placing cybersecurity fifth among priorities for spacepower advantage through 2032 is both an acknowledgment of this reality and a measure of how far the field has yet to go. Every capability ranked above it — space domain awareness, heavy launch, communication, Earth observation — depends on the integrity of the digital systems that operate, control, and deliver them. Cybersecurity is not a peer of those capabilities. It is their foundation.