The Unpatched Orbit

On February 24, 2022, roughly one hour before Russian tanks crossed the Ukrainian border, something happened in orbit that most of the world did not notice. A cyberattack, later attributed to Russian military intelligence, hit Viasat’s KA-SAT network, the satellite communications system that the Ukrainian military relied on for command and control. The weapon was a piece of malware called AcidRain: a wiper that bricked tens of thousands of satellite modems across Europe. Ukrainian military communications went dark at the precise moment they were needed most. Wind turbines in Germany lost their remote monitoring connections. Thousands of broadband customers across the continent were knocked offline as collateral damage.

The attack did not target the satellites themselves. It targeted the ground segment, the terrestrial infrastructure that manages the satellite network. A misconfigured VPN appliance provided the initial access. From there, the attackers moved laterally until they reached the management systems for the KA-SAT modems, then pushed a destructive firmware update to every device they could reach. The satellites continued to orbit, functioning perfectly. The network they served was destroyed from below.

This was the first confirmed use of a cyberattack against satellite infrastructure as a direct component of a military operation. It was not theoretical. It was not a wargame scenario. It was an act of war, timed to coincide with a ground invasion, and it worked. The implications have been reverberating through defense establishments and the space industry ever since, not because the attack was technically sophisticated, but because it was technically trivial. A misconfigured VPN. A lateral movement through a flat network. A firmware push. These are the kinds of vulnerabilities that would embarrass a mid-size enterprise, and they brought down a military satellite communications network in the opening hour of Europe’s largest war since 1945.

The threat taxonomy

The Viasat attack is instructive because it represents only one category of threat in a taxonomy that is broader and more varied than most people realize. Space systems face four distinct classes of attack, and understanding the differences between them matters because they require different defenses, and because not all of them are equally likely.

The cheapest and most common is radio frequency jamming, overwhelming a satellite’s signal with noise on the same frequency. GPS jamming in the Baltic Sea and Black Sea has become routine. Russia operates GPS jamming equipment along its borders and around military installations with enough power to affect commercial aviation. In 2024, multiple commercial flights into Eastern Europe reported GPS spoofing that placed aircraft hundreds of kilometers from their actual positions. The Finnish Transport and Communications Agency documented over a thousand GPS interference incidents in a single year. Jamming requires no sophistication. It requires a transmitter, an antenna, and knowledge of the target frequency. It is the radio equivalent of shouting over someone at a dinner table, crude, effective, and difficult to prevent without fundamentally redesigning the communication architecture.

Spoofing is jamming’s more dangerous sibling. Instead of drowning out a signal, a spoofing attack replaces it with a false one. GPS spoofing can convince a receiver that it is somewhere it is not, a capability with obvious implications for navigation, military targeting, and autonomous systems. The technical barrier is higher than for jamming, because the spoofed signal must be coherent and convincing enough to be accepted by the receiver as authentic. But the equipment needed has become cheaper, the techniques better documented, and the demonstrated incidents more frequent. What was once a nation-state capability is approaching the reach of well-resourced non-state actors.

Cyber intrusion, the Viasat model, targets the digital infrastructure that controls, commands, and connects satellites. This includes ground stations, telemetry and command links, network management systems, and the software supply chain that supports all of these. Cyber intrusion is the most versatile category because it can achieve effects ranging from data theft to permanent destruction, and because the attack surface is vast. Every satellite constellation depends on ground infrastructure that is, at its core, an IT system, with all the vulnerabilities that implies. The ground segment is where traditional cybersecurity meets space operations, and the intersection is less well defended than either community would like to admit.

The fourth category, kinetic anti-satellite weapons, gets the most attention and poses the least likely near-term threat. China demonstrated a direct-ascent ASAT weapon in 2007, destroying one of its own satellites and creating a debris field of over 3,000 trackable fragments that will remain in orbit for decades. Russia conducted a similar test in 2021, generating debris that forced the International Space Station crew to shelter in their return vehicles. Kinetic ASAT is dramatic, but it is also self-defeating, the debris it creates threatens every object in orbit, including the attacker’s own satellites. It is the nuclear option of orbital warfare: theoretically available, practically constrained by the consequences. The real threat is not kinetic. It is electromagnetic and digital.

Inspector satellites and orbital stalking

In 2014, a Russian satellite designated Luch (also known as Olymp) maneuvered into the geostationary belt and parked itself between two Intelsat satellites, commercial communications birds used, among other things, by Western military and government customers. Luch remained there for months, close enough to intercept signals, before moving to a position near another Intelsat satellite. Over the following years, Russia launched additional Luch-series satellites, and a pattern emerged: these spacecraft systematically approach, linger near, and occasionally follow satellites operated by Western governments and their commercial providers.

This is what the space security community calls proximity operations, or, less diplomatically, orbital stalking. Russia is not alone in the practice. China’s Shijian series of “experimental” satellites have conducted repeated close-approach maneuvers near other objects in orbit, including rendezvous and proximity operations that demonstrate an ability to inspect, shadow, and potentially interfere with foreign spacecraft. The United States has its own inspection capabilities, though it discusses them less publicly.

The implications are significant. A satellite that can approach another satellite closely enough to inspect it can also approach closely enough to jam its communications, intercept its signals, interfere with its solar panels, or physically disable it. None of these actions would create trackable debris. None would produce an obvious signature visible from the ground. Attribution would be difficult, response options limited. This is the gray zone of orbital warfare, actions that fall below the threshold of kinetic conflict but above the threshold of normal operations, and for which there are no established norms, no red lines, and no enforcement mechanisms.

The legal framework governing space, principally the 1967 Outer Space Treaty, was written before the idea of hostile satellite-to-satellite operations was technically plausible. It prohibits weapons of mass destruction in orbit and bars the militarization of celestial bodies. It says nothing about a satellite parking itself next to another satellite and listening. It says nothing about cyberattacks on ground infrastructure. The treaty’s silence on these matters is not an oversight of its era, it is a structural gap that no subsequent agreement has filled.

The unpatched fleet

The core vulnerability of the global satellite infrastructure is not exotic. It is mundane. Most satellites currently in orbit were designed and launched before cybersecurity was considered a design requirement.

Traditional satellite design treats the space segment as a closed system. The satellite communicates with its ground station through telemetry, tracking, and command links that were historically considered secure because accessing them required specialized equipment and knowledge of the operating frequencies and protocols. Security through obscurity, the assumption that the system is safe because attackers do not know how it works, was the implicit model. For decades, this was arguably adequate, because the barrier to entry for interfering with a satellite was genuinely high.

That barrier has collapsed. Software-defined radios have made it possible to receive and transmit on satellite frequencies with inexpensive commercial hardware. Satellite communication protocols have been reverse-engineered and documented in academic papers and open-source projects. Ground station software, like any enterprise IT system, accumulates vulnerabilities over time, and unlike enterprise IT, many satellite ground systems were not designed with patching, updating, or incident response in mind. The Viasat attack exploited none of these exotic vectors. It walked in through a VPN.

The problem is compounded by the permanence of space hardware. A satellite launched in 2015 with unencrypted command links will operate with unencrypted command links until it is decommissioned. There is no firmware update that can add encryption to a radio that was not designed to support it. There is no patch for a hardware architecture that lacks the computational resources for modern cryptographic protocols. The satellite works exactly as designed, it is the threat environment that has changed around it.

Newer constellations are better, but not uniformly so. The NewSpace revolution has prioritized speed to orbit, low cost, and rapid iteration, values that do not naturally align with the slower, more expensive process of security engineering. A startup building a constellation on venture capital timelines faces constant pressure to reduce weight, cost, and complexity. Encryption adds processing overhead. Authentication adds latency. Redundant command paths add mass. Each security feature competes directly with the constraints that determine whether the business survives long enough to reach orbit. The incentives are misaligned in exactly the way that produced decades of insecure software on the ground, and the space industry is positioned to repeat every one of those mistakes at orbital altitude.

Who builds the shield

The recognition that space systems need cybersecurity has produced a small but growing ecosystem of companies and government programs attempting to address the problem.

SpiderOak, a company originally known for end-to-end encrypted cloud storage, has pivoted to providing zero-trust security infrastructure for satellite operations. Their approach treats every component in the space communications chain, satellite, ground station, relay, user terminal, as potentially compromised, and requires cryptographic authentication at every handoff. It is the space equivalent of the zero-trust network architecture that has become standard in enterprise IT, applied to a domain where the idea is still novel. The company has secured contracts with the US Space Force and is working with commercial constellation operators.

Aalyria, spun out of Google’s Project Loon, is building software for managing complex communications networks that span terrestrial, aerial, and space segments, with security as a foundational layer rather than an afterthought. Their Spacetime platform models the dynamic topology of a satellite network and optimizes routing in real time, incorporating encrypted links and resilient path selection.

On the government side, the US Space Force stood up dedicated cyber squadrons for space systems in 2023, acknowledging that defending satellites requires the same specialized capability as defending any other critical infrastructure. ESA has published cybersecurity guidelines for satellite operations, though compliance remains voluntary. The European Union’s NIS2 directive, which expanded cybersecurity requirements across critical sectors, explicitly includes space for the first time, a regulatory signal that may eventually produce binding standards.

But the gap between recognition and implementation remains wide. Most operational satellites were launched before any of these initiatives existed. The companies building security solutions are small, early-stage, and competing for attention against more visible space ventures. Government programs are slow and procurement-heavy. The pattern is familiar from terrestrial cybersecurity: the threat evolves at the speed of exploit development, the defense evolves at the speed of institutional adaptation.

The doctrine gap

There are no binding international cybersecurity standards for commercial satellites. NIST Special Publication 800-233, released in 2023, provides a voluntary cybersecurity framework for satellite command and control, a useful document, but one that carries no enforcement mechanism. The Tallinn Manual offers academic analysis of how existing international law applies to cyber operations, including those targeting space systems, but it is a scholarly work, not a treaty. No international agreement defines what constitutes a cyberattack on space infrastructure, what threshold of interference triggers the right to self-defense, or what obligations satellite operators bear for the security of their systems.

This is not a minor gap. It is a structural absence at the intersection of two domains, cyber and space, where the rules are individually underdeveloped and jointly nonexistent. A nation that jams GPS signals over its neighbor’s airspace is violating radio regulations, but the enforcement mechanism is a complaint to the International Telecommunication Union. A nation that parks an inspector satellite next to a military communications bird and intercepts its signals is operating in a domain where there is literally no rule to break. A cyberattack that disables a commercial satellite used for military communications occupies a gray zone where the definitions of “attack, " “armed conflict, " and “proportional response” are contested by every legal scholar who has examined them.

The Outer Space Treaty is fifty-nine years old. The ITU Radio Regulations were not designed for adversarial operations. The Budapest Convention on Cybercrime does not address space systems. The gap is not closing, it is widening, because the capabilities are advancing faster than the institutions that would govern them.

The asymmetry

The uncomfortable reality of space cybersecurity is a fundamental asymmetry: attacking a satellite system is cheaper than defending one.

A GPS jammer that can disrupt navigation across a region costs less than a used car. The AcidRain malware that disabled the Viasat network was a straightforward wiper, not a sophisticated zero-day exploit, but a blunt instrument pushed through an open door. An inspector satellite capable of proximity operations costs millions to build and launch, but the intelligence it can gather or the interference it can cause may be worth orders of magnitude more. In each case, the economics favor the attacker.

Defending satellites, by contrast, requires investment across the entire lifecycle: secure design, encrypted communications, authenticated command channels, resilient ground infrastructure, anomaly detection, incident response capability, and ongoing monitoring, all for assets that cannot be physically serviced after launch and that must operate autonomously for years or decades. Every dollar spent on defense is a dollar not spent on capability, and in a market driven by cost competition and speed to orbit, defense consistently loses.

This is not a new pattern. It is the same asymmetry that has defined terrestrial cybersecurity for decades, the attacker needs to find one vulnerability, the defender needs to close all of them. But in space, the asymmetry is amplified by the permanence of the hardware, the difficulty of patching deployed systems, and the absence of regulatory pressure to invest in security.

The space industry stands at a point that the terrestrial internet passed through in the late 1990s: a period of rapid growth, immense optimism, and systematic underinvestment in security. The lessons of what followed on the ground, decades of breaches, billions in damages, an entire cybersecurity industry built to solve problems that should never have been created, are available. Whether the space industry will learn from them or repeat them is not a technical question. It is a question of incentives, regulation, and institutional will. The satellites are going up either way. The question is whether they will be defended when they get there.