Satellite infrastructure has become a key target of cyberwarfare. Between 2022 and 2025, dozens of confirmed cyber incidents have demonstrated the growing vulnerability of both commercial and government space assets. These include ransomware attacks on satellite operators, targeted data theft from space contractors, and the emergence of malware specifically designed to compromise satellite terminals. This article summarizes the most documented cases, analyzes the attack vectors, and outlines recommendations for operators, integrators, and government bodies.

The full-scale war in Ukraine has become the most intense real-world testing ground for satellite communications under fire. Operators like Starlink, OneWeb, SES, and others face constant interference by Russian forces, including jamming, spoofing, attempted intrusions into ground segments, and reconnaissance of satellite terminal operations. Many of these incidents remain undisclosed for security reasons, but the available data paints a clear picture: satellite systems are now in the crosshairs of hybrid warfare.

Documented Incidents (2022–2025)

2022

• Viasat KA-SAT (EU): On February 24, 2022, the KA-SAT satellite service was disrupted through a breach in a VPN appliance. Tens of thousands of terminals went offline across Europe, including wind turbines in Germany. This is considered the first large-scale cyberattack directly impacting a satellite-based service during a military conflict.

2023

• ORBCOMM (USA): A ransomware attack disabled satellite IoT platforms used in logistics and fleet management. Customers lost access to vehicle tracking and telemetry services.

• Dish Network (USA): Ransomware took down websites, internal systems, and exposed the personal data of 300,000 customers. Recovery took weeks, disrupting customer service and satellite television access.

• APT33 (Iran → US/EU): An Iranian APT group targeted aerospace and satellite-sector companies with password spraying, phishing, and account harvesting. Targets included R&D departments and backend operations.

• STL malware (Ukraine): Ukraine’s SBU exposed custom malware designed to extract telemetry from Starlink terminals via gRPC interfaces and known IPs. This marked the first confirmed case of purpose-built malware for Starlink hardware.

2024

• Maxar Space Systems (USA): A cyberattack leaked employee data, including internal HR and scheduling details, raising concerns about supply chain exposure and industrial espionage.

• JAXA (Japan): Japan’s space agency suffered a months-long breach. While no classified satellite data was reportedly accessed, the incident highlighted persistent threats to national space agencies.

• Planet Center (Russia): Ukrainian hackers erased over 2 petabytes of data and 280 servers at Russia’s federal satellite imagery center, affecting meteorological and remote-sensing capabilities.

• Iranian campaigns (Iran → West): Continued phishing attacks aimed at support teams and satellite operators via spoofed emails and malicious attachments posing as system tickets or requests.

2025

• Qilin breach (USA): A cybercrime group accessed internal documents of a defense-sector satellite service provider. Data included architectural diagrams, client lists, and support logs.

• Secure World Foundation report: Over 10,000 space-related cyber incidents were recorded globally in 2025, ranging from signal jamming and spoofing to attempted system intrusions — a dramatic increase from previous years.

• Tupolev breach (Russia): Ukrainian intelligence exfiltrated 4.4 GB of internal documents related to Russia’s strategic aviation systems, including data on satellite communication channels for Tu-95 and Tu-160 aircraft.

Ongoing and Structural Threats

Signal jamming, GNSS spoofing, and SDR-based uplink attacks are now permanent features of modern battlefields. In Ukraine, spoofed GPS signals and uplink denial techniques are used daily to disrupt satellite internet or navigation near the front lines.

There is also growing evidence of attacks on satellite support infrastructure, including attempts to infiltrate repair centers, impersonate technical support, access CRM systems, or compromise the firmware update supply chain. Attackers target logistics nodes, not just the satellites themselves.

Types of Threats

• Ransomware targeting satellite providers

• Breaches in ground control infrastructure

• GNSS spoofing and signal jamming

• SDR-based uplink attacks

• Exploitation of unsecured APIs and ports on terminals

• Targeted malware against satellite modems (e.g., STL)

• Logistics, CRM, and support infrastructure compromise

Attack Vectors

• Misconfigured VPNs and unfiltered remote access

• Open gRPC or local diagnostic interfaces

• Unauthenticated firmware or software update channels

• Compromised CI/CD pipelines or build environments

• Internal support systems with shared credentials

• Supply chain manipulation via logistics or field support

Recommendations

• Encrypt all TTC (Telemetry, Tracking & Command) and user data channels

• Enforce secure boot and hardware-level trust anchors (Root-of-Trust)

• Disable or strictly authenticate all local debugging interfaces (e.g., gRPC)

• Sign and validate all firmware updates, including out-of-band control

• Segregate support environments and limit access by region and role

• Monitor satellite infrastructure through SOCs specialized in space cyber

• Share IOC databases between satellite operators and national CERTs

Strategic Insight

Cyber conflict has officially moved into orbit. The 2022 Viasat attack was a starting point, but the progression since then reveals a sharp evolution in adversary capabilities. Attacks are no longer confined to ground stations or emails — they now target payloads, terminals, and the operational layers of space infrastructure.

Ukraine has proven to be a strategic battleground for space-based cybersecurity. The tools, malware, and tactics deployed there are likely to appear in other conflicts — or in commercial espionage — if operators do not adapt. The lessons learned on this front line should inform every space enterprise’s threat model.