THE SIGN BY CYSAT

Go back

The Next APT Attack May Not Target a Bank - It May Target an Orbit

Cyber threats are no longer confined to Earth's atmosphere. As satellites keep entire nations connected, navigated, and defended, the same vulnerabilities that have spent years tearing through corporate networks are now climbing into orbit. Viasat, GPS spoofing over the Baltic Sea, the first-ever hack of a real satellite at DEF CON, Sandworm and Gamaredon's attacks on the Ukrainian military - none of this is a future scenario anymore; it's the record of the last four years. On how space became the new front line of cyber warfare and why the next large-scale attack might not start with a phishing email but with a satellite ground control station - read on below.

A few years ago, space cybersecurity was still a niche subject, something engineers at space agencies discussed behind closed doors. Today it is a standing line item in global threat reports. Satellites are no longer exotic - they underpin GPS navigation, financial transaction synchronization, aviation, maritime logistics, military communications, weather forecasting, and the operation of critical infrastructure. Attackers used to target servers. Increasingly, their target is the entire space ecosystem - and the last three years have shown that this ecosystem is far more fragile than the industry liked to assume.

The best-known example is the attack on the Viasat satellite network in February 2022. But as it turned out, that was only the first, most visible chapter of a much longer story. It was followed by GPS spoofing experiments over the Baltic Sea, the world's first capture-the-flag competition run on a live satellite in orbit, and a string of incidents that made 2023, 2024, and 2025 each its own case study - proving that what needs defending isn't the satellite, but the whole infrastructure that keeps it working.

Space is no longer isolated

When most people hear the word "satellite," they picture an expensive spacecraft moving alone through orbit. In reality, a satellite is only the visible tip of a far more complex system - and underestimating that scale is the industry's central vulnerability.

Any modern space mission consists of mission control centers, telemetry-processing servers, ground antennas, TT&C (Telemetry, Tracking & Command) links, cloud infrastructure, APIs, CI/CD pipelines for automated software deployment, contractor corporate networks, and ordinary engineer workstations with the same passwords, VPN clients, and phishing emails in their inbox as any office worker. It's precisely these mundane elements that become the entry point for attacks.

A modern satellite today effectively resembles a distributed IT infrastructure, one piece of which happens to sit 500 to 36,000 km above the Earth. If even one link in that chain is compromised - a ground station, an operator's account, or a third-party firmware vendor - the entire mission can be at risk.

That's why specialists increasingly talk not about protecting a single satellite, but about protecting the entire space ecosystem - from corporate email to the onboard flight computer.

The lesson of Viasat - anatomy of a ground-segment attack (2022)

The attack on Viasat on February 24, 2022 - the same morning russia's full-scale invasion began - became the textbook example of how APT groups think today. The attackers didn't try to "hack a satellite." They took the cheapest and most effective route: through the ground-based management infrastructure.

According to the technical reconstruction published by SentinelOne's research team, the attack unfolded in two sequential stages. First, the attackers exploited a misconfigured VPN appliance and gained access to the trusted management segment of the KA-SAT network. From there, they moved laterally to the network segment responsible for operations and administration, and used that access to issue legitimate management commands simultaneously to tens of thousands of subscriber modems - the very same mechanism an operator would normally use to push a routine firmware update.

Instead of an update, the modems received a wiper that researchers named AcidRain. It's an ELF binary compiled for the MIPS architecture, typical of embedded devices like modems and routers. Running with root privileges, AcidRain recursively walked the filesystem, and for final data destruction, it relied on a series of ioctl calls - MEMGETINFO, MEMUNLOCK, MEMERASE, MEMWRITEOOB - which addressed the device's flash memory directly through the MTD (Memory Technology Device) interface. Once the wipe completed, the modem rebooted - and never came back up: the bootloader and configuration data had been physically overwritten, leaving factory reset or full manual reflashing as the only options.

The fallout reached far beyond a single connectivity provider. Tens of thousands of users across France, Germany, Hungary, Greece, Italy, and Poland lost service. In Germany, 5,800 Enercon wind turbines went "blind" for several days - operators lost the ability to remotely monitor and control them, even though the turbines themselves kept turning. And critically, in the context of the war, the attack knocked out communication channels used by Ukrainian military command during the first, most critical hours of the invasion.

Researchers at MITRE ATT&CK and Ukraine's CERT-UA subsequently linked AcidRain to Sandworm - a unit of russia's GRU also known for the NotPetya and BlackEnergy attacks. And in March 2024, SentinelOne discovered AcidRain's successor: AcidPour, compiled for x86 and expanded to destroy not just modem firmware but also RAID arrays and UBI (Unsorted Block Image)/Device Mapper logical volumes - meaning it targets a much broader class of enterprise storage systems. This confirmed what many had feared: AcidRain was not a one-off experiment but a prototype the operators kept refining.

The lesson from Viasat is simple and unsettling precisely because of that simplicity: paralyzing a continent's satellite network requires no knowledge of orbital mechanics. It requires one misconfigured VPN appliance.

The Baltic as a testing ground - when electronic warfare becomes routine (2023 - 2024)

If Viasat showed what compromising the ground segment can do to a satellite network, the Baltic Sea has spent 2023 and 2024 demonstrating a different front of the same war - a direct attack on the GNSS signal itself, with no network intrusion at all.

This means large-scale jamming and spoofing of GPS, GLONASS, and Galileo signals, recorded over the region almost daily since the start of the full-scale invasion. Based on public ADS-B (Automatic Dependent Surveillance-Broadcast) data from commercial aircraft, researchers logged over 46,000 potential GPS disruption events over the Baltic between August 2023 and March 2024 alone. Teams at Stanford University and the University of Texas have consistently traced the sources of this interference to the Kaliningrad region - and, in a handful of much stranger cases, to the area around Smolensk.

What's technically more interesting than plain jamming is spoofing - where a receiver on an aircraft or ship doesn't lose the signal but instead accepts a forged one that appears entirely legitimate. Researchers from the University of Colorado Boulder and Gdynia Maritime University documented cases where aircraft flying near smolensk were made to "loop" in a suspiciously precise circle around a decommissioned military airbase - so-called circular spoofing, a more sophisticated attack designed to fool even cross-checking systems that use multiple positioning sources. In another documented case, on December 25, 2023, a Pobeda Airlines flight crossing the southern Black Sea vanished from ADS-B tracking for nearly two hours; when the signal returned, the receiver was reporting coordinates at Simferopol airport in Crimea - aligned, with striking precision, along the runway.

The consequences have long since moved past statistics. Tartu Airport in Estonia, which relied exclusively on a GPS-dependent landing system, forced Finnair to suspend flights there from April through May 2024. The US Federal Aviation Administration (FAA) issued an official safety alert in 2024 instructing pilots to be prepared to fly without GPS. In response to the persistent interference, NATO launched "Baltic Sentry," a patrol operation with increased air and maritime presence in the region, while research consortia such as the EU-funded ORMOBASS project began rolling out an alternative positioning system, R-Mode Baltic - essentially reviving land-based radio beacons instead of a satellite signal that has proven too easy to spoof.

The Baltic case matters because it shows that disrupting critical navigation infrastructure requires no malware and no network intrusion at all. A radio-frequency transmitter with a few watts of power, sitting on sovereign territory, is enough to force an entire region's commercial aviation sector to rewrite its flight protocols.

When a CTF competition goes to orbit (2023) - Moonlighter

In the summer of 2023, something the space industry had been waiting years for finally happened: for the first time, hackers were legally allowed to attack a real satellite on a real orbit - not on orders from an intelligence agency, but at a hacker conference.

This was Hack-A-Sat 4, the fourth iteration of a competition the US Space Force, the Air Force Research Laboratory (AFRL), and The Aerospace Corporation have run since 2020. For this edition, a dedicated 3U CubeSat named Moonlighter was purpose-built and launched into orbit -  a spacecraft roughly the size of a stack of books (34×11×11 cm stowed), flying a circular orbit at 465–500 km altitude, inclined 51.6°. Onboard was a separate "cyber payload" - a payload computer isolated by a programmable firewall that behaved like a full flight computer but existed specifically so competing teams could attack it without risking the mission.

Five finalist teams, selected from over 700 qualifying entrants, competed on challenges that essentially had to be invented from scratch, since no traditional CTF has "orbital mechanics" challenges. One task involved tricking Moonlighter - which has no propulsion system - into reporting that it was over the North Pole, which required injecting spoofed data directly into its GPS receiver. Other challenges required establishing a data link with the onboard sandbox, bypassing restrictions on photographing certain regions of Earth, and downlinking the photo to a ground station within a narrow line-of-sight window.

The Italian team mHACKeroni won, but the point of the project was never really the $100,000 prize pool. It was to show aerospace engineers that secure-by-design - security baked into the architecture at the design stage rather than patched on afterward - needs to become the industry norm, the way it long ago became the norm for ordinary software. Tellingly, program organizers openly said Moonlighter was built as a direct answer to the lesson of Viasat: to understand the logic of attacks on orbital systems before that logic gets tested for real in an actual conflict, rather than on a stage at DEF CON.

A new field of cyber confrontation (Starlink)

russia's full-scale war in Ukraine delivered another important lesson: satellite communications became not just a communication tool but a full-fledged piece of military infrastructure, one that is now the subject of continuous electronic warfare (EW) contestation.

Starlink turned into a permanent object of this confrontation. russia has experimented with jamming the signal, tried to triangulate terminal locations, and adapted existing EW systems to the new target. In response, SpaceX demonstrated a quality the traditional space industry had never previously needed to develop - the ability to update the network in near-real time, reacting to new pressure vectors within days rather than the months or years that were standard in the pre-war space industry.

This fundamentally changes the rules of the game for both sides. Where the onboard software update cycle used to take years, given certification complexity and the physical impossibility of "rolling back" a bad patch in orbit, now certain elements of space infrastructure get updated almost like mobile apps. Response speed has become as much a weapon as the attack vector itself.

When the same actors come back for the satellite segment (2025)

If 2022-2024 were about proving the concept - showing that ground infrastructure, GNSS signals, and orbital systems are all viable attack surfaces - 2025 was the year that proof turned into a documented trend line.

According to the Space Information Sharing and Analysis Center (Space ISAC), publicly reported space-related cyber incidents surged 118% in the first eight months of 2025 compared to the same period in 2024, with roughly 117 incidents logged between January and August alone - numbers the ISAC itself says almost certainly understate the real volume, since most incidents never get publicly disclosed.

The most striking 2025 case is Salt Typhoon, a Chinese state-sponsored campaign that had spent the prior few years breaching core network components at US telecom carriers including Verizon, AT&T and T-Mobile. By mid-2025, the same campaign expanded into the satellite communications sector - and one of the providers targeted was, again, Viasat. Viasat said the unauthorized access didn't affect its services and that customer data wasn't breached, but the incident demonstrated something the industry had been slow to internalize: the same actors and the same techniques used against terrestrial telecom infrastructure are now being pointed, deliberately, at satellite operators, precisely because SATCOM has become just another node on the same critical-communications graph.

The industry's response also became concrete in 2025. In March 2025, Deloitte launched Deloitte-1 on a SpaceX Falcon 9, a satellite built specifically to test an on-orbit cyber-defense payload called Silent Shield - one of the first commercial attempts to put intrusion detection directly onboard a spacecraft rather than relying solely on ground-based telemetry analysis. The next eight satellites in the program, planned in clusters through 2026, are meant to demonstrate what happens when a cyberattack hits one satellite in a network and then attempts to move laterally to others via inter-satellite links - effectively simulating, deliberately and in a controlled setting, the same kind of lateral movement that made the Viasat and Salt Typhoon incidents possible on the ground.

A few words on 2026 - regulation catches up

By late 2025 and into 2026, governments started translating three years of incidents into binding requirements rather than voluntary guidance. The Pentagon's Committee on National Security Systems (CNSS) updated its cybersecurity policy for national security space systems, now requiring satellites used by US intelligence and military programs to carry real-time onboard intrusion detection and prevention capability - a direct response to what officials describe as a persistent "detection gap," since traditional telemetry-based monitoring simply can't see many classes of onboard compromise. In parallel, the EU's proposed Space Act and the bipartisan US Satellite Cybersecurity Act, reintroduced in December 2025, both aim to convert years of ad hoc best practices into enforceable baseline requirements for the commercial sector. Industry analysts now project the global space-cybersecurity market will reach roughly $5.2 billion by the end of 2026 - a number that, five years ago, would have measured a niche defense sub-sector rather than what is now treated as a mainstream infrastructure-security category.

The new frontier - supply chains

The biggest systemic challenge for the industry, however, isn't defending the satellite itself, and it isn't countering electronic warfare - it runs much deeper, in the supply chain.

A modern space mission brings together hundreds of companies from dozens of countries. Some write onboard flight software; others manufacture electronics, cryptographic modules, FPGA chips, telecommunications hardware, or cloud services for telemetry processing. Every component has its own development cycle, its own libraries, dependencies, and update procedures - and its own attack surface, often unknown even to the end operator.

That means compromising a single supplier can affect dozens of space programs that aren't even aware of each other's existence. The world already lived through a version of this scenario with the SolarWinds incident in 2020, when one compromised software update opened access to the networks of thousands of organizations, including US government agencies. The space industry is only beginning to grasp how critical supply-chain compromise risk becomes when the final destination of that compromise is orbit rather than a corporate data center.

Artificial intelligence accelerates both sides

Artificial intelligence is also gradually changing the character of space cybersecurity - and doing so symmetrically, accelerating both defense and offense.

On one hand, AI is already used for analyzing telemetry streams, automatically detecting anomalies in onboard system behavior, predicting equipment failures, and optimizing the management of entire satellite constellations. On the other hand, the same technologies are available to attackers: automated vulnerability discovery in firmware, large-scale open-source intelligence gathering on specific missions, generation of convincing phishing campaigns against engineering staff, or writing malicious code tailored to a specific onboard computer architecture.

Competition in this space depends less and less on the number of people on the attacking or defending team and more and more on the speed of adaptation to new data.

The Ukrainian experience the world is now studying

For most states, space cybersecurity is still a matter of strategic forecasting and "what if" scenarios. For Ukraine, it has been part of everyday reality for several years now - and not an abstract one, but one with specific group names, specific malware tools, and specific dates.

Ukraine was the first to demonstrate, in practice rather than in theory, how tightly cyberattacks on ground infrastructure, GNSS interference, electronic warfare, unmanned systems, and commercial space services can intertwine within a single conflict. And it is the military segment - not just the energy sector or government institutions - that has become a separate, priority target for russian threat actors.

One of the most striking examples is Sandworm (also tracked as APT44, a GRU unit), which over the course of the war has shifted from purely destructive attacks toward targeted espionage against the armed forces. In 2023, Ukraine's Security Service (SBU) disrupted a Sandworm operation during its planning phase that was aimed at seizing Android tablets used by Ukrainian troops to plan combat missions on the battlefield. That same year, CISA and the UK's NCSC documented Infamous Chisel - a Sandworm toolset written specifically for Android devices belonging to the Ukrainian military, designed for data collection and establishing covert access. In late 2024, the same group ran a campaign built on fake websites hosted on Cloudflare Workers that mimicked the official page of Army+, a military app the Ministry of Defense uses to digitize unit reporting - victims were lured into downloading a malicious executable disguised as an app installer.

Working in parallel against military and government targets is Gamaredon (linked to the FSB's 18th Center for Information Security) - according to ESET, the most active threat group targeting Ukraine: in 2025 alone, researchers logged 35 distinct spear-phishing campaigns against government and military institutions. What's technically interesting is exactly how Gamaredon hides its command-and-control (C2) infrastructure: the group makes heavy use of Cloudflare tunnels (trycloudflare.com) to mask its real servers, the Telegra.ph API to disguise commands as ordinary traffic to a blogging platform, and the GoFile cloud storage service to stage and deliver malicious PowerShell payloads. On the back end, the group relies on dead drop resolvers (DDRs) - pre-planted public posts, for instance, on social media or forums, from which an infected host fetches the current C2 address on the fly, which makes blocking the infrastructure by static indicators much harder.

Separately, in 2026, Ukraine's CERT-UA flagged a cluster designated UAC-0247 (previously tracked as UAC-0244), which specifically targets FPV drone operators. In March 2026, the attackers distributed a fake update via Signal for drone-operator software called "BACHU" - the malicious archive quietly installed the AGINGFLY backdoor, written in C#, through DLL side-loading. In a broader campaign by the same cluster against hospitals and municipalities, the actors used a typical LNK → mshta.exe → HTA infection chain with an embedded PowerShell downloader, which fetched additional tools - the RAVENSHELL reverse shell, the SILENTLOOP PowerShell backdoor, and credential-stealing tools targeting Chromium-based browsers and WhatsApp. It's one more sign that, for russian hackers, the front line runs not through government institutions in general but through specific military specialties - down to an individual drone pilot.

This war has shown that modern warfare is fought simultaneously across physical, informational, cyber, and space domains - and the boundaries between them have practically disappeared. An attack on a civilian internet provider's modem turned out to be capable of paralyzing military communications; jamming a signal over neutral waters turned out to be capable of forcing commercial aviation on the other side of the continent to rewrite its flight routes; and a fake drone-software update sent over a messaging app turned out to be just as much an intelligence-gathering tool as an attack on an energy company.

That's why Ukraine's experience is of interest today not only to military analysts, but also to space agencies, satellite system manufacturers, and the international cybersecurity community - much of which, until recently, treated these scenarios as purely theoretical.

Final Thoughts

Cybersecurity has already gone through several sequential stages of development. First we learned to protect individual computers. Then corporate networks. After that came cloud environments, industrial systems, and critical infrastructure.

The logical next step is defending space systems - and as the last four years have shown, the industry is taking that step under the pressure of real incidents, not ahead of them.

Perhaps the most dangerous APT attack of the coming years won't start with a malicious attachment in an email or the exploitation of a web application. It may start with the compromise of a telemetry server, a stolen engineer's account, an infected update from a third-party firmware vendor, or an unnoticed configuration change on a VPN appliance at a ground station - exactly as it already happened on February 24, 2022.

We've grown used to saying that future wars will be fought in space. In reality, they're already there - it's just that the main target isn't the satellites themselves, but the ground infrastructure that keeps them running, and the radio-frequency spectrum through which every GNSS signal travels.

And as humanity continues to settle into orbit, cybersecurity stops being purely a matter of data protection. It becomes a matter of the continuity of communication, navigation, the economy, defense, and trust in the technologies without which the modern world can no longer function.

Author: Nessa

Subscribe to our bi-weekly Linkedin newsletter

Subscribe

You can support TheSIGN by becoming our SATELLITE. Click to learn more about sponsorship.

THE SIGN.MEDIA is a knowledge-sharing platform and ecosystem connecting independent space-cybersecurity experts, researchers, and industry professionals. It is not a registered press outlet, broadcaster, or journalistic mass-media undertaking. Articles, interviews, and commentary published on this site reflect the personal analysis and opinions of their named contributors and do not constitute an editorial line or investigative journalism produced by THE SIGN.MEDIA, S.L.U. Content is curated for informational and educational purposes and does not constitute professional, legal, or governmental advice. The author of each publication is identified in its byline.