CTRL+ALT+ORBIT: The Cyber Race to Compromise Space Assets

Cyber Threats Beyond Earth

Efforts to secure America’s critical infrastructure have long focused on land, air, and sea. However, as reliance on space-based systems accelerates, orbit is becoming the newest, and increasingly exposed, arena for cyber intrusion. 

Cyber threats increasingly target the period of technological metamorphosis as space systems undergo rapid innovation. As low-earth orbit constellations provide services such as broadband to proliferated satellite architectures for warfighter capabilities and Global Positioning System (GPS), the U.S. dependency on space-based military capabilities and economic activity expands as well. Satellites are indispensable pillars to the modern world, orchestrating communication, commerce, and navigation. However, if left unchecked, cyber adversaries who target such critical infrastructure may exploit the very vulnerabilities they intend to undermine. 

Great Power Competition in Orbit

The same satellites that enable global commerce, navigation, and missile warning now sit at the center of a silent contest between major powers, criminal networks, and state-backed hackers, further driven by an increased dependence on space-based assets for both military and civilian functions. As defense commitments among North Atlantic Treaty Organization (NATO) allies shift, the organization's deterrence capabilities increasingly depend on these assets, primarily satellites, for defense, communication, and intelligence. 

Subsequent disclosures beginning in February 2024 indicate that Russia’s engagement in counterspace activities has surged, in addition to its alleged development of a nuclear space-based anti-satellite weapon. Last May, the United States accused Russia of launching a counterspace weapon, stating it had “characteristics resembling previously deployed counter space payloads” in 2019 and 2022. The 2022 Space Threat Assessment report highlighted that Russia’s efforts to infiltrate GPS signals have stretched from Baltic and Nordic nations through Ukraine and Russia itself, occurring since the Russo-Ukrainian War’s inception.

In response to China’s expanding military space capabilities across all orbital regimes, U.S. Space Force leaders have bolstered their demand for counterspace capabilities. The 2025 Space Threat Assessment report observes that Beijing’s actions over the last year have compounded its efforts in the previous year to establish dual-use satellites in orbit with a tendency to maneuver, signifying a growing operator proficiency and maturing space techniques and procedures. The report also highlighted that Beijing has reorganized its armed forces, establishing a single force oriented towards its space operations.

In July 2024, the Federal Bureau of Investigation (FBI) issued a joint cybersecurity advisory warning of North Korean cyber-espionage activities targeting space-based defense capabilities worldwide to advance their own capabilities, including targeting defense, aerospace, nuclear, and engineering entities. Concurrently, the 2025 Space Threat Assessment report detailed that Iran’s pursuit of cyberattacks against aerospace and satellite infrastructure has increased in the last year: Microsoft’s published reports in March and August of 2024 further assessed that the Peach Sandstorm campaign, an Iranian-linked cyber-espionage operation targeting government, defense, and civil society entities, was directed by actors linked to Iran’s Islamic Revolutionary Guard Corps, as part of ongoing intelligence collection and social engineering efforts. 

Collectively, these activities reflect a converging strategic logic rather than isolated national efforts: Russia, China, Iran, and North Korea are not pursuing counterspace capabilities in parallel; they are orienting toward the same alliance-dependent space architecture. Because U.S. and NATO military effectiveness is increasingly mediated through commercial, dual-use satellite systems, pressure applied anywhere along that architecture, ground stations, supply chains, software, or signal integrity can generate strategic effects without a discrete act of attack. This convergence places U.S. space assets at the center of contemporary power competition, where advantage is gained not through overt disruption but through shaping conditions of access, uncertainty, and restraint. 

Cyber Threats to Space and Ground-Based Infrastructure

Cyber attacks are often associated with ransomware, in which hackers attempt to breach records. In February 2022 alone, an official United Kingdom source registered eighty-three data breaches, with over five million records at risk. Just before the Russo-Ukrainian War, cyber attacks increased and were recorded targeting Ukrainian banks and government institutions in the second half of February 2022. For satellite operators, the threats have further evolved. The Space Information Sharing Center (ISAC)  reported a 118% increase in space-related cyber incidents as of November 2025 compared to 2024, with roughly 117 open-source incidents from January to August 2025. The Space ISAC stated this is a partial statistic, suggesting the actual attack volume is higher. 

Before Russia’s invasion in February, Ukraine had already become a victim of “NotPetya,” a nationwide attack widely attributed to Russian state actors. Ukraine absorbed 80% of the overall infection, making it the hardest-hit state. NotPetya blocked digital services and operations at Ukrainian government agencies, airports, and banks. It then spread beyond Ukraine, unintentionally damaging hundreds of companies across more than six countries. Financial losses from the attack are estimated to be $10 billion. In 2021, however, global financial losses from cyberattacks were estimated at $6 trillion. Whether NotPetya originated from political, personal, or ethnic conflict, the following question lingers: What protections can prevent a sophisticated hacker group from shutting down vital assets?

Cyber attacks as a means of political leverage are not a novel form of state disruption. The Stuxnet Virus is a key example of this: a mechanism developed to target Iran’s nuclear weapons program, primarily its centrifuges. Stuxnet was one of the first known cyberweapons to successfully destroy industrial infrastructure during an intelligence operation. The operation destroyed approximately 1,000 Iranian centrifuges, primarily located at Natanz, making it one of the most significant and tangible demonstrations of a cyberweapon’s ability to disrupt critical infrastructure physically.

As ransomware is primarily observed as a threat to the frontline of terrestrial technologies, its threat to satellite systems is just as real. When there is capacity, there is intent to exploit it. A recent example of this occurred in March 2022: SpaceX received word of the jamming of the Starlink terminals they delivered to Ukraine and, from this, sought to strengthen their cybersecurity measures. During the attack, cyber adversaries exploited a weakness in the satellites’ communication systems, showing why robust cryptography and cybersecurity are essential to counter future, more sophisticated threats. 

In the same year, during the Russian cyberattack targeting Viasat’s KA-SAT satellite network, hackers compromised ground-based infrastructure to undermine Ukrainian command and control. A few months later, U.S. cybersecurity authorities and NATO members issued a joint warning that Russian state-backed cybercriminal groups were preparing cyberattacks on critical infrastructure, primarily satellites. 

Hybrid Warfare Goes Digital

Cyber attacks, monitored by organizations such as the European Union Agency for Cybersecurity (ENISA) and the CyberPeace Institute, are increasing at an alarming rate, directly translating to the vulnerability of satellite systems. For example, in 2024, ENISA found that the number of such attacks increased by 300% within five years. According to the report, these attacks gravitated toward disrupting critical satellite-based communication systems.

From a legal perspective, ignoring such a reality is a mistake, despite significant ambiguity and varying interpretations. This ambiguity grows as commercial and military systems blend, and as major powers adopt opaque offensive capabilities. In 2017, Jeanette Hanna-Ruiz, NASA’s former chief information security officer, stated in an interview that “it's a matter of time before someone hacks into something in Space.” Within five years of her statement, Russia launched a cyber operation against ViaSat’s KA-SAT satellite network. From this, the communication capabilities of Ukrainian civilians and security forces were impaired as Russian forces invaded. 

Over the past two decades, cyber operations have become integral to hybrid warfare, where states combine conventional, kinetic, and digital tools to disrupt an adversary’s critical systems. It is key to understand this evolution, as the ways cyber attacks unfold today demonstrate the ease with which a single breach can disrupt military, economic, and civilian domains. But sometimes, rather than directly attacking the satellite itself, hackers compromise ground-based infrastructure, including the modems that directly interface with the satellite, resulting in widespread connectivity failures. 

While satellite systems can be compromised in several different ways, one of the most sophisticated and least detectable pathways is a hardware-level supply-chain infiltration that embeds malware before the spacecraft even reaches orbit. For national security, attacks such as the hardware-level supply chain infiltration are especially dangerous. A single compromised component can undermine satellites critical to missile warning, communications, and intelligence, giving adversaries a foothold before the system is even in orbit. The risks posed by these cyber intrusions are best understood by examining the full lifecycle of a compromise, from initial access to operational impact.

Stealthy On-Orbit Malware Operations

The attack begins before the satellite is even launched. Modern small satellites are built with many third-party hardware components, often referred to as Commercial Off-the-Shelf (COTS) parts, including sensors, cameras, and communication devices. Next, according to Cornell University’s Cryptography and Security Department, a supply chain insider obtains pre-launch access to these third-party hardware components while they are being manufactured or sourced. The insider, or adversary, then secretly embeds malicious functionality (malware) into the component’s internal logic or firmware, a more tranquil process, as third-party components often do not undergo the strict security checks that the main flight software does. Vendors rarely provide the full source code for integrators to audit. The malicious component is designed to look and function like a legitimate piece of hardware, so it passes initial integration and testing.

Once an infected satellite is launched into space, the malicious logic does not activate immediately. Components perform their routine, expected duties, while the malicious logic remains idle, waiting for a specific condition to arise—a strategy that prevents premature detection during the early operational and testing phases. Blending in, the malicious components leverage system interfaces and API’s, making their actions indistinguishable from normal operations. Simultaneously, they can subscribe to mission-critical data streams (such as GPS or electrical power) just like any trusted component because the system often lacks authentication or access control for these actions.

The attack begins when a predefined trigger occurs. The attack can use two trigger types: static and dynamic. In static triggers, the malware activates after a fixed time delay, whereas with dynamic triggers, the malware monitors live satellite telemetry (data) for a specific mission-relevant condition, such as detecting orbital insertions based on GNSS (GPS) activities, to initiate the attack, making the attack mission-aware and stealthy. Once triggered, the malware executes its initial objectives, which often include stealing data (Data Exfiltration) or causing problems (Denial of Service or Disruption). In multifaceted attacks, the malicious logic coordinates by sending secret signals to each other, either over the public internal software bus or, for maximum stealth, via a covert communication channel, invisible to ground operators. 

From here, the malware takes mission telemetry and uses the satellite's onboard radio transmitter to send it to an unauthorized, malicious ground station, occurring without alerting the legitimate operators that the radio is being used for unauthorized purposes. Alternatively, the malware can also cause a Denial of Service (DoS) attack by deliberately crashing the core flight software, making it look like a random software bug, or by flooding the internal software bus with fake messages and commands, degrading operations, confusing operators, and growing plausible deniability of the source of the problem.

The whole attack works because small satellite systems place implicit trust in all components and lack strong security features like real-time monitoring, access control, and authentication on internal communication channels. The lack of logging means that using basic operating system functions (like creating a file to communicate) is often invisible to operators.

The Gray Zone of Space and Cyber Operations

As the United States and its allies grow more dependent on satellites for navigation, missile defense, communications, and intelligence collection, this reliance introduces an entirely new layer of vulnerability. The problem is not only that these systems can be targeted by adversaries, but that emerging technologies are advancing faster than our ability to anticipate how they will behave in crisis conditions. Innovation expands capability, but it also expands ambiguity. Cyber espionage often mirrors the early stages of a cyber attack: probing networks, accessing data streams, and mapping system behavior. In a domain where attribution is already difficult, misreading intelligence collection as a hostile strike could trigger escalation before policymakers fully understand the situation. The challenge of attribution is magnified in space, where even debris or system malfunctions can be misread as deliberate attacks. Combined with reliance on satellites for early warning of missile launches, this creates a dangerous potential for misperception and unintended escalation. 

This ambiguity deepens when malware crosses boundaries inside a system. A tool built for espionage can accidentally spread beyond its intended scope, creating effects that resemble a deliberate attack. The United States. becomes especially vulnerable here: the intricacy of its satellite infrastructure, combined with heavy reliance on third-party components, creates an attack surface where even a minor modification can have strategic implications. This stage represents the foundation of supply-chain compromise: the juncture where vulnerabilities take shape long before a satellite ever reaches orbit. The rapid growth of privately owned satellites further complicates the picture, introducing new actors, priorities, and vulnerabilities, while also increasing open-source intelligence available to adversaries.

The Path Ahead

The story of space cybersecurity is ultimately a story about the future of conflict. As space becomes increasingly congested, contested, and commercially driven, the landscape of threats in the cyber world surrounding it evolves just as rapidly. In this emerging environment, ambiguity becomes as dangerous as capability: debris and cyber espionage can be mistaken for attacks, and a compromised commercial satellite can inadvertently trigger military escalation. In space, even a minor intrusion can have outsized effects because every system is globally interconnected and dual-use by design, hence the added risk to operating in this gray zone. 

The vulnerability in U.S. space architecture is not in the satellites in orbit, but the commercial supply chains and ground systems behind them. As emerging technologies are increasingly integrated into defense practices, reducing this risk may require mandatory cybersecurity standards for commercial operators, stronger government–industry information sharing, and procurement practices that prioritize supply-chain integrity over speed and cost.

The cyber race is therefore not about who can attack the fastest, but about preventing miscalculations in a domain where no one admits responsibility and everyone has something at stake. If the United Statesand its partners fail to strengthen supply-chain integrity, mandate cybersecurity standards for commercial operators, and establish clearer norms for behavior in orbit, the vulnerabilities of today’s space systems will become the catalysts for tomorrow’s crises. What hangs in the balance is not simply technological dominance, but the stability of the international system itself.