TL;DR

Key Points

• Harden supply chain: Enforce vendor access controls and audits to block the easiest path into ground networks and cloud buckets.

• Instrument jamming/spoofing: Stand up basic detection for GNSS (GPS-like) interference and alert on uplink anomalies.

• Lock down identities: Treat ground stations and satellite ops accounts like crown jewels; monitor VPN/IdP drift and service account use.

• Tighten storage paths: Turn on access logging, object lock, and anomaly alerts for mission data in S3/Blob stores.

• Share and learn fast: Join sector intel sharing (e.g., Space ISAC) so you’re not learning alone during an incident.

The story in 60 seconds

From 2020–2025, state actors (notably Russia, China, Iran, North Korea), ransomware crews, and hacktivists converged on space IoT—mostly via ground networks and cloud stores. Anchor events: Viasat KA-SAT disruption (Feb 2022), Interlock-style data exfil/extortion against defense/space supply chains (2024–2025), and 2025 hacktivist operations against Israeli satellite operators.

Why this works: supply-chain trust, identity sprawl, flat ops networks, and poorly instrumented storage. TTPs include supply-chain compromise, credential theft, GNSS jamming/spoofing, and living-off-the-land on admin workstations.

Impact is not just “space.” Downstream users lose comms, telemetry, and timing; dual-use services amplify blast-radius. As of Sept 9, 2025, hybrid campaigns mixing cyber and EW are normal in conflict zones and increasingly hit commercial providers.

AlphaHunt

Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe! • Forward to your on-call lead.

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

See it in your telemetry

Network

• VPN: bursts of password-spray from data-center IPs; new device fingerprints on privileged tunnels.

• East-West: admin workstation to sat-modem/ground-station controllers at off hours.

• Egress: cloud API endpoints for storage/list/get from unfamiliar regions or ASN.

Endpoint

• Admin boxes launching built-ins (PowerShell, certutil, netsh) and archive tools pre-exfil.

• Unapproved firmware tools or serial/USB drivers installed on ops laptops.

• Credential access detections (LSASS memory reads, DPAPI abuse).

Cloud/Storage

• S3/Blob: object enumeration followed by large sequential GETs; access via legacy keys; failed object lock delete attempts.

• IAM: escalation on service principals tied to data mover jobs; policy edits outside change windows.

RF/GNSS (if you have it)

• GNSS receiver SNR drops, sudden clock drift, or position jumps.
• Uplink power/BER anomalies aligned with ops windows.

Mail/IdP

• Targeted phish to ops engineers referencing vendor tickets; new OAuth app consents in IdP.

AlphaHunt

Ready to level up your intelligence game?

Sign Up!

High Impact, Quick Wins

Turn on object-lock + anomaly alerts for mission data

• Sell it: Proven ransomware blast-radius reducer.
• Measure it: % critical buckets locked, mean time from suspicious access → alert.

Privilege hardening for ops identities (MFA, short-lived tokens, service-account rotation)

• Sell it: Stops the #1 initial access for ground compromises.
• Measure it: % privileged accounts with strong MFA; median key age; failed privileged auth rate.

Ground-segment segmentation + egress allow-listing

• Sell it: Containment when an admin box is popped; limits data theft and tooling download.
• Measure it: Allowed egress destinations count; blocked egress attempts from ops VLANs; lateral-movement alerts post-change.

Research

Summary

Space IoT infrastructure—including commercial, military, and GNSS satellites, as well as ground systems—has become a prime target for both state and non-state threat actors from 2020 to 2025. Russian (Sandworm, APT28, Turla), Chinese (APT41, UNC4841), Iranian (Peach Sandstorm), and North Korean (Lazarus Group) state actors have conducted cyber and electronic warfare operations, leveraging supply chain attacks, destructive malware, jamming, spoofing, and espionage to degrade adversary capabilities and collect intelligence. Non-state actors, including ransomware groups (e.g., Interlock) and hacktivists (GhostSec, ArabianGhosts), have exploited cloud storage, supply chains, and VSAT terminals for extortion, disruption, and information warfare.

Key incidents include the Sandworm destructive malware attack on Viasat KA-SAT (2022), Interlock ransomware exfiltration of 4.2 TB from National Defense Corporation (2024–2025), and hacktivist DDoS/credential theft campaigns against Israeli satellite operators (2025). These attacks have caused operational outages, economic losses, and exposed critical dependencies in global infrastructure, with attribution often complicated by proxy use and blended state/non-state operations.

TTPs have evolved to include supply chain compromise (T1195), GNSS jamming/spoofing (T1461/T1462), ransomware/data extortion (T1486), and credential theft (TA0006). Living-off-the-land, social engineering, and targeting of ground infrastructure are increasingly prevalent. The threat landscape is further complicated by hybrid warfare, economic espionage, and the integration of space systems with terrestrial critical infrastructure.

Background and Context

• Space IoT infrastructure—including commercial, military, and GNSS satellites, as well as ground systems—has become essential for communications, navigation, defense, and critical infrastructure worldwide.
• The period 2020–2025 has seen a surge in both the frequency and sophistication of attacks on space assets, driven by geopolitical tensions, the expansion of commercial space services, and the increasing integration of space systems with terrestrial critical infrastructure.
• Attribution remains challenging due to the use of proxies, criminal partnerships, and the blending of state and non-state actor operations.

Significant State and Non-State Threat Actors (2020–2025)

State Actors

• Russia (Sandworm, APT28, Turla, Void Blizzard)
  • Engaged in cyber and electronic warfare (EW) targeting Western, Ukrainian, and commercial space assets.
  • Tactics include jamming, spoofing, destructive malware, and espionage.
  • Motivations: Military advantage, intelligence collection, and disruption of adversary C4ISR.
• China (APT41, UNC4841, Earth Ammit)
  • Persistent cyber espionage and supply chain attacks on satellite operators and ground systems.
  • Demonstrated advanced on-orbit maneuvering and dual-use satellite capabilities.
  • Motivations: Strategic intelligence, military modernization, and economic advantage.
• Iran (Peach Sandstorm, APT33, Predatory Sparrow)
  • Conducted cyberattacks against aerospace and satellite infrastructure, often for intelligence and regional influence.
  • Used social engineering, password spraying, and destructive malware.
• North Korea (Andariel, Lazarus Group)
  • Targeted defense, aerospace, and satellite sectors for espionage and military leverage.

Non-State Actors

• Ransomware Groups (e.g., Interlock)
  • Targeted space sector supply chains and cloud storage (e.g., AWS S3 buckets used for satellite data) for extortion.
  • Example: Interlock ransomware attack on National Defense Corporation and its subsidiary AMTEC, exfiltrating terabytes of data tied to defense and space stakeholders.
• Hacktivist Groups (e.g., GhostSec, ArabianGhosts, Mr Hamza, Cyber Unit 89)
  • Conducted DDoS, web defacement, and claimed intrusions into VSAT terminals and satellite operators, especially during regional conflicts (e.g., Israel-Iran).
  • Motivations: Political signaling, disruption, and information warfare.

Geopolitical Motivations and Operational Trends

• Military and Strategic Superiority: States seek to degrade adversary capabilities, gather intelligence, and ensure freedom of action in space.
• Economic and Technological Espionage: Theft of intellectual property and disruption of commercial satellite services.
• Political Signaling and Coercion: Jamming, spoofing, and cyberattacks as tools of statecraft.
• Hybrid Warfare: Integration of cyber, EW, and physical attacks in broader military campaigns.
• Hacktivism and Criminal Collaboration: Non-state actors amplify state objectives or pursue financial gain, often blurring attribution.

Evolution of Tactics, Techniques, and Procedures (TTPs)

• Supply Chain Attacks: Compromising vendors and cloud services to access satellite networks (e.g., Earth Ammit, Interlock).
• Jamming and Spoofing: Advanced GNSS interference, signal hijacking, and broadcast of propaganda.
• Targeting Ground Infrastructure: Attacks on control centers, ground stations, and IT networks.
• Ransomware and Data Extortion: Encryption and theft of mission-critical data, with threats of public leaks.
• Living-off-the-Land and Social Engineering: Use of legitimate tools, credential theft, and phishing to evade detection.

Major Incidents (2020–2025)

Impact on Global Security and Critical Infrastructure

• Operational Disruption: Attacks have caused loss of connectivity for military, government, and civilian users, impacting command and control, emergency response, and critical infrastructure.
• Escalation Risks: Space-based attacks risk escalation into broader military conflict, especially when targeting dual-use assets.
• Economic Losses: Ransomware and service outages have resulted in significant financial losses and reputational harm.
• Strategic Vulnerability: Demonstrated ability to disrupt or degrade space assets exposes critical dependencies in global infrastructure.

Attribution Challenges

• Attribution is complicated by the use of proxies, criminal partnerships, and the blending of state and non-state operations.
• Many incidents are only made public by attackers, with limited confirmation from victims, making impact assessment and attribution uncertain.
• Analysts often use language such as “assessed with moderate confidence” or “likely” when attributing attacks.

Recommendations, Actions, Suggested Pivots, Forecasts and Next Steps

(Subscribers Only)