Cyberattacks on SATCOM networks attributed to Russian threat actors

Satellites are critical infrastructure and need to be cybersecured

In the context of this article we will use the term satellite for a machine that is launched into space and moves around Earth. And there might be a lot more of them than you would expect—this live maptracks a huge number of satellites.

Originally most of earth’s satellites were launched for scientific reasons. Some because of their unique ability to provide a view of a large area of the earth’s surface, and others because they are able to study space without having to deal with the atmosphere.

Today, a majority of the satellites in orbit are used in some form of communication. That’s not surprising when you consider that Elon Musk’s SpaceXis by far the largest operator of satellites. In September 2021, the total number of satellites amounted to 4550, with 1655 of them belonging to SpaceX. SpaceX’s Starlink satellite Internet program plans to send more than a thousand new satellites into orbit every year.

Commercial satellites, like Starlink, provide us with the ability to have things like Internet access, television, GPS, and scientific information about the weather and other processes in the atmosphere and on the surface.


On March 17, 2022, the Cybersecurity & Infrastructure Security Agency (CISA) published an alertin conjunction with the Federal Bureau of Investigation (FBI) which warned of possible threats to US and international satellite communication (SATCOM) networks.

Along with that alert came a reportthat provided mitigation strategies for SATCOM providers and their customers. And, as part of CISA’s Shields Upinitiative, all organizations are being asked to significantly lower their threshold for reporting and sharing indications of malicious cyberactivity.


On March 2, 2022 the current head of the Russian Roscosmos State Space Corporation, Dmitry Rogozin, saidthat Russia will consider any cyberattacks targeting Russian satellite infrastructure an act of war. This didn’t seem to stop activist group NB65 from claiming that it had disabled WS02, the Rocosmos Vehicle Monitoring System.


On February 28, 2022 US-listed satellite communications firm Viasat Inc said it was investigating a suspected cyberattack that caused a partial outage in its residential broadband services in Ukraine and other European countries. Among other things, the outage caused a disruption of the remote monitoring and control of 5,800 wind turbines in Central Europe, with a total capacity of 11 gigawatt (GW).

Viasat operates large geostationary satellites. Geostationary means they are synchronized with the earth’s rotation, which results in a stationary orbit at a point about 35,000 kilometers from Earth.

Viasat’s geostationary approach is the traditional method of providing broadband service from space, but other operators, like Starlink, use satellites in low earth orbits. This requires more satellites, but provides higher speeds.

In answer to a request for Starlink support from Ukraine digital minister Mykhailo Fedorov, SpaceX’s CEO Elon Musk was quick to respond and promise help.

Critical infrastructure

The examples above demonstrate how networks of satellites and space systems are vulnerable to cyberattack, and create a backdoor into the physical and digital systems we rely upon on a daily basis.

While we tend to think about other things first when we are discussing critical infrastructure, the underlying systems that enable technology functionality across these sectors often rely on space systems. For example, some high-tech farming equipment relies on GPS information provided by satellite.

Like so many other important assets, a lot of space systems were developed without cybersecurity in mind. Around the turn of the century, cybersecurity was not a big concern, and during the development of some systems no special cybersecurity parameters were deployed because engineers thought the technology was too advanced for a hacker to compromise.

It wasn’t until NASA set up the Cyber Defense Engineering and Research Group (CDER) that anyone looked at the unique cybersecurity requirements that distinguishes space mission systems from traditional firewalled data servers.

And it wasn’t until the end of 2016, that AT&T encrypted NASA’s Deep Space Network (DSN), after a report on how to hack into the Mars Roverappeared on the Internet.


If you know or suspect that an important part of your organization’s internal processes depends on satellite services, the CISA report provides some guidelines for customers of SATCOM providers:

  • Use secure methods for authentication.
  • Enforce principle of least privilege through authorization policies.
  • Review existing trust relationships with IT service providers.
  • Implement independent encryption across all communications links leased from, or provided by, your SATCOM provider.
  • Strengthen the security of operating systems, software, and firmware, including vulnerability and patch management.
  • Monitor network logs for suspicious activity and unauthorized or unusual login attempts.
  • Create, maintain, and exercise a cyberincident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems—including SATCOM networks—are disrupted or need to be taken offline.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.