Satellite Attack Vectors & Threat Landscape | Satellite Security

Overview

Satellite systems present a uniquely broad attack surface that spans the electromagnetic spectrum, the software stack, the physical supply chain, and — in the most extreme cases — orbital mechanics itself. Unlike terrestrial networks where an attacker typically needs proximity or network access, satellite signals traverse open space and can be received, analyzed, and attacked from continental distances with increasingly affordable equipment.

This page catalogs the full spectrum of satellite attack vectors organized by technique. Each section examines the technical mechanism, required attacker capabilities, real-world precedents, and the protocol-layer weaknesses (detailed on the Satellite Communication Protocols page) that enable the attack. For defensive measures against these vectors, see the Defenses & Countermeasures page.

Attack Surface Map

The following diagram maps primary attack vectors to the three physical segments of a satellite system — space, link, and ground — along with the cross-cutting supply chain domain.

graph TB
    subgraph "Space Segment Attacks"
        S1["On-Board Computer Exploitation"]
        S2["Firmware Manipulation"]
        S3["Command Injection via TT&C"]
        S4["Bus Hijacking"]
        S5["Sensor Spoofing<br/>(Star Tracker, Sun Sensor)"]
        S6["Side-Channel Attacks"]
    end

    subgraph "Link Segment Attacks"
        L1["Signal Jamming<br/>(Spot, Barrage, Sweep)"]
        L2["GPS/GNSS Spoofing"]
        L3["SATCOM Spoofing"]
        L4["Eavesdropping / SIGINT"]
        L5["Meaconing<br/>(Replay Attacks)"]
        L6["Man-in-the-Middle"]
    end

    subgraph "Ground Segment Attacks"
        G1["TT&C Station Compromise"]
        G2["VSAT Hub Exploitation"]
        G3["NOC/SOC Infiltration"]
        G4["VPN & Remote Access Attacks"]
        G5["Antenna Control System Attacks"]
        G6["Terrestrial Network Pivot"]
    end

    subgraph "Supply Chain & Cyber-Physical"
        C1["Component Backdoors"]
        C2["Firmware Supply Chain"]
        C3["Insider Threats"]
        C4["ASAT Kinetic Kill"]
        C5["Directed Energy Weapons"]
        C6["RPO Inspection/Interference"]
    end

    SAT["🛰️ Target Satellite System"]

    S1 & S2 & S3 & S4 & S5 & S6 --> SAT
    L1 & L2 & L3 & L4 & L5 & L6 --> SAT
    G1 & G2 & G3 & G4 & G5 & G6 --> SAT
    C1 & C2 & C3 & C4 & C5 & C6 --> SAT

    style SAT fill:#e94560,stroke:#e94560,color:#fff

1. Signal Jamming

Jamming is the deliberate transmission of RF energy to disrupt satellite communications. It is the most accessible attack vector against satellite systems — requiring only a transmitter, an amplifier, and a directional antenna. No knowledge of the target protocol is needed for brute-force approaches.

Jamming Types

Spot Jamming: Concentrates all transmitter power on a single frequency. Highly effective against narrowband signals (SCPC carriers, specific TDMA channels) but trivially defeated by frequency hopping if the target employs it.

Barrage Jamming: Spreads energy across a wide bandwidth to deny an entire transponder or frequency band. Less energy per Hz than spot jamming, so it requires more transmitter power for the same effect. Effective against wideband signals where the target frequency cannot be predicted.

Sweep Jamming: Rapidly sweeps across a frequency range, briefly jamming each frequency in sequence. A compromise between spot and barrage — it provides wider coverage than spot jamming with higher instantaneous power density than barrage. Effective against frequency-hopping systems with known hop sets.

Deceptive Jamming: Transmits signals that mimic legitimate communications to confuse the receiver’s synchronization, timing recovery, or demodulation. More sophisticated than noise jamming because the receiver cannot simply filter by signal characteristics. Requires knowledge of the target protocol’s waveform.

Uplink vs. Downlink Jamming

Characteristic	Uplink Jamming	Downlink Jamming
Target	Ground-to-satellite signal at the satellite receiver	Satellite-to-ground signal at the ground receiver
Jammer location	Must be within the satellite’s receive beam footprint	Must be near the target ground receiver
Power required	High — must overcome the path loss to GEO orbit (~200 dB at Ku-band)	Low — jammer is close to the victim receiver
Affected users	All users on the jammed transponder/beam	Only users near the jammer
Detection	Satellite operator can detect via anomalous uplink power	Localized, harder for the operator to detect
Attribution	Can be geolocated by the satellite operator using beam patterns	Requires ground-based DF (direction finding)
Legality	Violates ITU Radio Regulations globally	Violates national RF regulations

Uplink jamming is strategically more significant because it affects all users simultaneously, but it requires significant transmitter power (typically kilowatts) and a large directional antenna pointed at the satellite. Nation-states and military organizations are the primary actors with this capability.

Downlink jamming is tactically more accessible. A few watts of power from a portable jammer can deny satellite reception across a localized area. This is commonly used for GPS denial in conflict zones and has been observed affecting civil aviation.

GPS Jamming

GPS signals arrive at the Earth’s surface at approximately -130 dBm (about 10^-16 watts). This extraordinarily low power makes GPS trivially jammable:

A 1-watt L1 jammer effectively denies GPS within a 10-30 km radius depending on terrain
Commercially available “personal privacy devices” (illegal in most jurisdictions but widely sold online) produce 0.5-2 watts and are commonly used by fleet vehicle operators to evade tracking
Military GPS jammers produce tens to hundreds of watts and can deny GPS across hundreds of kilometers

Real-world incidents:

Newark Liberty Airport (2009-2013): Truck drivers using personal GPS jammers on the adjacent New Jersey Turnpike regularly disrupted the FAA’s Ground-Based Augmentation System (GBAS) at Newark airport. The FCC eventually identified and fined the operators.
South Korea (2010-2016): North Korea conducted multiple GPS jamming campaigns targeting South Korean aviation and maritime operations, affecting thousands of aircraft and ships with truck-mounted jammers positioned near the DMZ.
Eastern Mediterranean (2018-present): Persistent GPS jamming and spoofing centered on conflict zones has affected commercial aviation across the region. Ships have reported GPS positions displaced by tens of kilometers.

SATCOM Jamming

SATCOM jamming is more complex than GPS jamming because SATCOM signals are typically 20-40 dB stronger at the receiver than GPS signals. However, the satellite transponder itself is vulnerable:

Transponder saturation: A satellite transponder has a fixed gain. If a jammer injects a strong signal into the transponder’s receive bandwidth, the transponder’s automatic gain control (AGC) reduces gain for all signals, effectively suppressing legitimate traffic. This is particularly effective against bent-pipe (transparent) transponders that amplify everything in their bandwidth indiscriminately.

Carrier-to-Interference ratio: The effectiveness of jamming is quantified by the J/S (Jam-to-Signal) ratio at the receiver. For most digital modulation schemes:

QPSK requires J/S < -6 dB to maintain link (jammer must be at least 4x weaker than signal)
16APSK requires J/S < -12 dB (jammer must be 16x weaker)
Higher-order modulations are progressively more susceptible to interference

This means that systems using higher-order modulation for greater throughput are inherently more vulnerable to jamming — a direct trade-off between capacity and resilience.

Jamming Effectiveness by Frequency Band

Band	Frequency Range	Typical Satellite Use	Jamming Difficulty	Notes
L-band	1-2 GHz	GNSS, Inmarsat, Iridium	Easy	Low path loss, omnidirectional receive antennas
S-band	2-4 GHz	TT&C, some mobile	Easy-Moderate	Still relatively low frequency, manageable power
C-band	4-8 GHz	Legacy VSAT, broadcast	Moderate	Larger antennas provide some discrimination
X-band	8-12 GHz	Military SATCOM	Moderate-Hard	Often combined with anti-jam techniques
Ku-band	12-18 GHz	VSAT, broadcast TV	Moderate	Dominant commercial band, wide beams
Ka-band	26-40 GHz	HTS broadband	Hard	Narrow spot beams, higher atmospheric loss
V-band	40-75 GHz	Next-gen HTS	Very Hard	Extremely narrow beams, high atmospheric attenuation

Lower frequency bands are inherently easier to jam because antennas at these frequencies have wider beamwidths (providing less spatial discrimination against jammers) and the path loss is lower (requiring less jammer power). Ka-band and above offer some natural resilience due to narrow spot beams that limit the geographic area from which a jammer can effectively interfere.

2. Spoofing Attacks

Spoofing involves transmitting counterfeit signals designed to be accepted by the victim receiver as authentic. Unlike jamming (which denies service), spoofing provides false service — which can be far more dangerous because the victim may not realize they are under attack.

GPS Spoofing

GPS spoofing exploits the fundamental design flaw of civilian GPS: the L1 C/A signal has no authentication mechanism. The signal structure, spreading codes, navigation message format, and timing are all publicly documented. A spoofer generates signals that are structurally indistinguishable from authentic GPS.

Carry-off attack sequence:

Alignment phase: The spoofer transmits signals aligned with the genuine GPS signals — same code phase, same navigation data, same Doppler. The victim receiver locks onto both the genuine and spoofed signals simultaneously.
Power increase: The spoofer gradually increases power until its signals dominate the genuine signals in the receiver’s correlators. The receiver’s tracking loops migrate to the spoofed signals without losing lock.
Deviation phase: The spoofer slowly introduces timing and position offsets, “carrying” the receiver away from its true position. Gradual deviation avoids triggering receiver consistency checks.
Control phase: The victim receiver now reports the position and time dictated by the spoofer. The attacker has full control of the victim’s navigation solution.

Required equipment: A GPS spoofer can be built with a software-defined radio (USRP, HackRF, or similar), the open-source gps-sdr-sim software, and a directional antenna. Total cost: $300-2,000. The Texas Spoofing Test Battery (TEXBAT) at UT Austin has publicly demonstrated these attacks against commercial receivers.

Meaconing: A simpler form of spoofing where genuine GPS signals are received, delayed, amplified, and retransmitted. The retransmitted signals cause receivers to compute incorrect positions corresponding to the meaconer’s location rather than their own. Meaconing requires no knowledge of the GPS signal structure — it simply replays the signal with added delay. This makes it accessible even to unsophisticated adversaries.

Real-world GPS spoofing incidents:

Black Sea (2017): Over 20 ships in the Black Sea reported GPS positions placing them at Gelendzhik Airport, approximately 25 nautical miles inland. This is consistent with a spoofing attack that shifted the navigation solution to a specific location.
Iran RQ-170 capture (2011): Iran claimed to have captured a US RQ-170 Sentinel drone by spoofing its GPS to initiate an autonomous landing at an Iranian airfield instead of its home base. While debated, the technical feasibility has been confirmed by subsequent research.
Shanghai Port (2019): Researchers documented systematic GPS spoofing in Shanghai’s port area creating “spoofing circles” that caused AIS-tracked vessels to display impossible movements.

ADS-B Spoofing for Aviation

Automatic Dependent Surveillance-Broadcast (ADS-B) relies on aircraft self-reporting their GPS-derived position on 1090 MHz. The system uses no authentication or encryption.

Attack mechanism: An attacker with a $20 SDR and open-source software (dump1090, readsb) can inject phantom aircraft into the ADS-B ecosystem. Air traffic controllers and collision avoidance systems (TCAS) will react to these phantom targets. Conversely, an attacker can suppress real aircraft by spoofing a large number of phantom targets to overwhelm surveillance displays.

Satellite connection: ADS-B is increasingly monitored from space by satellite constellations (Aireon, Spire) that receive 1090 MHz broadcasts from aircraft. Spoofed ADS-B signals powerful enough to reach these satellites would appear as legitimate aircraft globally, not just to local ground receivers.

ADS-B spoofing detection challenges: Several detection methods have been proposed (multilateration, signal fingerprinting, Doppler analysis), but none are deployed universally. The aviation industry’s transition to ADS-B mandates (FAA’s 2020 mandate for US airspace) created a dependency on an unauthenticated protocol without a clear path to adding authentication. The proposed ADS-B v3 standard includes message signing, but deployment timelines remain uncertain.

SATCOM Spoofing

Spoofing satellite communication signals is harder than GPS spoofing because SATCOM systems typically use narrower beams, stronger signals, and more complex protocols. However, it is not impossible:

Terminal impersonation: On VSAT networks with weak terminal authentication, an attacker can clone a terminal’s identity (MAC address, terminal ID) and transmit on the return link. The hub may accept the spoofed terminal’s traffic, enabling data injection or service theft.
Hub impersonation: More difficult because the forward link originates from a high-power uplink facility. However, a local attacker near a target terminal could overpower the satellite downlink with a spoofed forward-link signal, taking control of the terminal’s configuration and traffic.
TT&C command spoofing: If the Telecommand link lacks SDLS authentication (see Protocols page), an attacker who can generate valid TC frames and transmit them at sufficient power toward the satellite can inject unauthorized commands. This is the most dangerous spoofing scenario — it could enable an attacker to repoint antennas, change transponder settings, or command the satellite into safe mode.

3. Eavesdropping & SIGINT

Satellite signals travel through open space and can be received by anyone with appropriate equipment within the beam footprint. This makes satellite communications particularly susceptible to passive intelligence gathering.

VSAT Traffic Interception

The most extensively documented civilian satellite eavesdropping research was conducted by James Pavur at Oxford University. His work demonstrated that:

Equipment required: A 1.2-meter offset satellite dish (approximately $200), a DVB-S2 PCIe tuner card ($200), and a commodity PC running open-source DVB software. Total cost under $500.

What was intercepted:

Category	Examples Found	Encryption Status
Maritime vessel operations	Crew personal communications, navigation data, cargo manifests	Unencrypted
Aviation in-flight connectivity	Passenger browsing, email, airline operational data	Partially encrypted (HTTPS), metadata exposed
Corporate VSAT	Email attachments, database queries, VoIP calls	Mixed — many networks unencrypted
Energy sector	SCADA telemetry from offshore platforms, pipeline monitoring	Frequently unencrypted
Government/NGO	Humanitarian organization communications, diplomatic traffic	Variable — some encrypted, some not
Maritime IoT	AIS transponder data, vessel tracking, engine telemetry	Unencrypted

Key findings: The forward link (satellite to terminals) is a broadcast — every terminal in the beam, and every eavesdropper, receives the same signal. Traffic isolation depends entirely on upper-layer addressing (GSE labels, IP addressing) and encryption. When encryption is absent — which Pavur found was the case for a significant portion of maritime and enterprise traffic — the data is available to anyone with a dish and a tuner.

Maritime VSAT Intelligence Gathering

Maritime VSAT is a particularly rich intelligence target because:

Vessel identification: Unencrypted traffic contains vessel names, MMSI numbers, and IMO identifiers that correlate with physical ships. Combined with AIS data, an eavesdropper can build a comprehensive picture of fleet operations.
Crew communications: Email, social media, and voice calls from crew reveal human intelligence — morale, personnel, operational patterns, and potentially sensitive cargo information.
Navigation data: ECDIS (Electronic Chart Display) updates, waypoints, and route plans transmitted via VSAT reveal future vessel movements.
Operational technology: Engine monitoring telemetry, ballast system data, and cargo management traffic reveals vessel capabilities and vulnerabilities.

Military SIGINT Capabilities

Nation-state SIGINT operations against satellite systems are the most sophisticated form of satellite eavesdropping. Capabilities include:

Large antenna arrays: Ground-based stations with 18-30 meter dishes (Menwith Hill, Pine Gap, Bad Aibling) can intercept even weak satellite signals across multiple bands simultaneously.
Satellite-based SIGINT: Dedicated SIGINT satellites in GEO and HEO orbits can intercept uplink signals from ground terminals that would normally be inaccessible to ground-based collection. The US MENTOR/ORION program and similar programs by other nations operate spacecraft with antenna apertures reportedly exceeding 100 meters.
Cryptanalysis: Signals that are encrypted with weak or broken algorithms (DVB-CSA, proprietary scrambling) can be decrypted. Even strong encryption can leak metadata (traffic analysis, timing, frequency usage) that reveals operationally significant information.
Full-spectrum collection: Military SIGINT systems collect across all satellite bands simultaneously, correlating traffic patterns across C-band, Ku-band, Ka-band, and X-band to build comprehensive communications intelligence.

DVB-S2 Signal Capture with Consumer SDR

The democratization of satellite eavesdropping has accelerated with consumer SDR hardware:

Equipment	Cost	Capability
RTL-SDR v3 dongle	$30	Receive L-band (GPS, Inmarsat, Iridium) with appropriate antenna
Airspy R2 / HF+	$170-300	Higher dynamic range, better for crowded spectrum
HackRF One	$300	Full-duplex capable, wider bandwidth (up to 6 GHz)
USRP B200/B210	$700-1,200	Professional-grade, GPS-disciplined clock, wide bandwidth
LimeSDR	$300	Full-duplex, two channels, up to 3.8 GHz

Combined with open-source software (gr-dvbs2, leandvb, SatDump, GNU Radio), these SDRs enable:

Demodulation and decoding of DVB-S2 forward links
Decoding of Inmarsat AERO/ACARS aviation safety communications
Reception of Iridium burst traffic (with iridium-toolkit)
GNSS signal analysis and recording for replay attacks
Spectrum monitoring for satellite frequency mapping

4. Ground Segment Exploitation

The ground segment is frequently the weakest link in satellite security because it consists of conventional IT infrastructure — servers, networks, operating systems — that is subject to all the vulnerabilities of terrestrial systems, combined with unique satellite-specific attack surfaces.

TT&C Station Attacks

Telemetry, Tracking, and Command (TT&C) stations are the most critical ground infrastructure because they control the spacecraft. A compromised TT&C station gives an attacker direct command authority over the satellite.

Viasat KA-SAT incident (February 2022): The most significant publicly documented satellite ground segment attack. On February 24, 2022 — coinciding with Russia’s invasion of Ukraine — an attacker exploited a misconfigured VPN appliance in Viasat’s KA-SAT ground infrastructure to reach the network management segment. From there, the attacker deployed a destructive wiper malware (AcidRain) to tens of thousands of SurfBeam2 and SurfBeam2+ VSAT modems across Europe. The attack:

Bricked approximately 30,000 terminals across multiple European countries
Disrupted Ukrainian military and government satellite communications at the outset of the invasion
Caused collateral damage to German wind turbine remote monitoring systems (Enercon)
Required physical replacement of affected terminals — remote recovery was impossible

Lessons from KA-SAT:

The attack vector was entirely terrestrial (VPN misconfiguration), not satellite-based
The ground management network had insufficient segmentation between the NOC and the terminal management system
Destructive attacks on modems are particularly effective because satellite terminals often lack secure boot and cannot be recovered remotely once firmware is corrupted

VSAT Hub Infrastructure

VSAT hub stations process all traffic for a satellite network and are architecturally equivalent to a datacenter with radio equipment. Attack surfaces include:

Network management interfaces: SNMP, web-based management consoles, and CLI interfaces on hub equipment (modulators, demodulators, routers, encryption devices) are frequently exposed on management VLANs with default or weak credentials.
Baseband processing equipment: The modulators and demodulators that convert between IP and satellite waveforms run specialized real-time operating systems (often VxWorks or Linux-based) with known vulnerabilities and infrequent patching.
Encryption key management: If the hub manages encryption keys for terminal communications, compromise of the hub’s key management system exposes all encrypted traffic.
Monitoring and logging infrastructure: Hub-based SNMP managers, syslog collectors, and performance monitoring systems have access to operational data that reveals terminal locations, traffic volumes, and network architecture.

NOC/SOC Compromise

Network Operations Centers and Security Operations Centers for satellite operators are high-value targets that typically run on standard enterprise IT infrastructure:

Satellite control software: Mission planning, orbit determination, and command generation software runs on workstations that may be connected to both the operational network and the corporate network. Lateral movement from the corporate network to the operational network is a well-established attack path.
Credential theft: Operators with access to satellite command systems are targets for spear-phishing, credential stuffing, and social engineering. The relatively small number of personnel with TT&C access makes targeted attacks feasible.
Insider threat: NOC operators have legitimate access to sensitive systems. A malicious insider could modify command sequences, alter telemetry processing to mask anomalies, or exfiltrate orbital parameters and encryption keys.

Supply Chain Attacks on Ground Equipment

Satellite ground equipment has a complex supply chain with multiple opportunities for compromise:

Firmware updates: Terminal firmware updates are often distributed via the satellite link itself. If the update mechanism lacks code signing and integrity verification, an attacker with satellite uplink access could distribute malicious firmware to all terminals in a network.
Third-party components: VSAT modems contain chipsets, RF components, and software from multiple vendors. A compromise at any tier of the supply chain could introduce backdoors.
Maintenance access: Ground stations require periodic maintenance by vendor technicians who may have remote access credentials. Compromised vendor networks (as seen in the SolarWinds attack pattern) provide a path into satellite operator infrastructure.

5. Space Segment Attacks

Attacking the satellite itself — the space segment — is the most technically challenging but potentially most consequential vector. A compromised satellite can be used for eavesdropping, signal manipulation, or destructive purposes, and physical remediation is impossible.

On-Board Computer (OBC) Exploitation

Modern satellites run sophisticated on-board software on radiation-hardened processors. The OBC handles:

Attitude and orbit control
Payload management (transponder switching, beam configuration)
Thermal management
Telemetry generation and command processing
Data storage and downlink scheduling

Attack vectors against the OBC:

Software vulnerabilities: OBC software is typically written in C/C++ or Ada and may contain memory corruption vulnerabilities. While radiation-hardened processors often lack features like MMUs that enable modern exploit mitigations, the constrained runtime environment limits the attacker’s options.
Real-time OS vulnerabilities: Common spacecraft RTOS platforms (VxWorks, RTEMS, FreeRTOS) have known CVEs. The lifecycle of a satellite (15-20 years for GEO) means that software patched at launch becomes increasingly vulnerable over the mission lifetime.
Command injection: If an attacker gains command access (via compromised TT&C or spoofed TC frames), they can upload and execute arbitrary code on the OBC. Some spacecraft support on-orbit software updates, which can be subverted to load malicious payloads.

Firmware Attacks

Satellite firmware — including boot code, FPGA bitstreams, and payload processor software — represents a persistent attack surface:

Pre-launch compromise: Firmware is loaded during spacecraft integration and test (I&T). A supply chain attack during I&T could introduce backdoors that persist for the satellite’s entire operational life.
In-orbit update exploitation: Many modern satellites support firmware updates via the command link. If the update process lacks cryptographic verification (code signing), an attacker with command access can replace legitimate firmware with malicious versions.
FPGA bitstream manipulation: Satellite payloads increasingly use reconfigurable FPGAs. Modified bitstreams could alter signal processing behavior — for example, redirecting a portion of transponder bandwidth to an unauthorized user or introducing subtle signal degradation.

Bus Hijacking

The satellite bus (the platform that provides power, propulsion, thermal control, and attitude control) is the most critical subsystem from a physical security perspective. Bus hijacking could enable:

Orbit modification: Commanding the propulsion system to change the satellite’s orbit. For GEO satellites, even small velocity changes can cause the satellite to drift out of its assigned orbital slot, disrupting service. Larger maneuvers could place the satellite in an orbit that threatens other spacecraft.
Attitude control disruption: Mispointing the satellite’s antennas, solar arrays, or thermal radiators. Antenna mispointing directly disrupts communications; solar array mispointing causes power starvation; thermal radiator mispointing causes thermal runaway.
Decommissioning: Commanding the satellite to execute end-of-life maneuvers (GEO graveyard orbit raise, LEO deorbit burn) prematurely, permanently destroying the asset.

Sensor Spoofing

Satellites rely on multiple sensors for attitude determination. Spoofing these sensors could cause the satellite to lose orientation:

Star tracker attacks: Star trackers are the primary high-accuracy attitude sensor on most spacecraft. They image the star field and match observed patterns against an onboard catalog. A directed laser or bright light source could:

Blind the tracker (temporary or permanent damage to the CCD/CMOS sensor)
Introduce false star detections that cause incorrect attitude solutions
Force the satellite to rely on lower-accuracy backup sensors (sun sensors, magnetometers, gyroscopes)

Sun sensor spoofing: Bright light sources directed at sun sensors could cause incorrect sun-vector measurements, affecting both attitude determination and solar array pointing.

Side-Channel Attacks in Space

The space radiation environment and electromagnetic characteristics of spacecraft create unique side-channel opportunities:

Power analysis: Variations in a satellite’s power consumption may be observable through subtle changes in its transmitted signal characteristics. While ground-based power analysis of space assets is speculative, a co-orbital inspector satellite could potentially perform electromagnetic emanation analysis.
Timing analysis: The timing of satellite responses to commands may leak information about the on-board processing state, enabled encryption algorithms, or command queue depth.
Radiation-induced faults: Single-event upsets (SEUs) caused by space radiation can flip bits in memory. While not an intentional attack, an adversary aware of a satellite’s vulnerability to SEUs could time operations to coincide with periods of elevated radiation (solar particle events) to increase the probability of exploitable faults.
Electromagnetic emanation: Spacecraft electronics emit electromagnetic radiation that correlates with processing activity. A co-orbital inspector satellite with sensitive receivers could potentially characterize the target’s cryptographic operations, processing architecture, or software behavior through emanation analysis — a space-based variant of TEMPEST collection.

6. Supply Chain Threats

The satellite supply chain is global, complex, and involves a relatively small number of specialized suppliers — making it both a critical dependency and a concentrated target.

Compromised Components

Satellite subsystems contain components sourced globally:

Radiation-hardened processors (limited to a few fabs worldwide)
Space-qualified RF components (TWTAs, SSPAs, LNAs)
Reaction wheels, star trackers, and other ADCS hardware
Solar cells and power conditioning electronics

Counterfeit components: The satellite industry has documented cases of counterfeit or substandard electronic components entering the supply chain. Unlike terrestrial electronics where counterfeits primarily affect reliability, counterfeits in space hardware can introduce undocumented behavior or deliberately weakened security properties.

Firmware Backdoors

The software supply chain for satellite firmware involves:

RTOS vendors (Wind River VxWorks, RTEMS community, custom implementations)
Board support packages from hardware vendors
Third-party libraries (cryptographic, compression, protocol stacks)
Development tool chains (compilers, linkers, debuggers)

A compromise at any point in this chain could introduce backdoors. The Thompson Trust attack (“Reflections on Trusting Trust”) applies with particular force to satellite systems where post-deployment forensics are essentially impossible.

ITAR/Export Control Implications

International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) control the export of satellite technology and create a unique threat landscape:

Compliance pressure: Strict export controls sometimes prevent allies from sharing threat intelligence about satellite vulnerabilities, creating information asymmetries that adversaries exploit.
Component sourcing constraints: Export controls limit where operators can source components, sometimes forcing reliance on a single supplier — creating supply chain concentration risk.
Classification barriers: Security vulnerabilities in military satellite systems are often classified, preventing the broader industry from learning from incidents and implementing fixes.

7. Cyber-Physical Attacks

The most extreme satellite attack vectors involve physical destruction or interference with spacecraft. These are primarily nation-state capabilities but are becoming more accessible.

Anti-Satellite Weapons (ASAT)

Direct-Ascent Kinetic Kill Vehicles: A missile launched from the ground that physically destroys a satellite through kinetic impact. Demonstrated by:

China (2007): Destroyed the FY-1C weather satellite at 865 km altitude, creating over 3,500 trackable debris objects — the largest single debris-generating event in space history.
United States (2008): Operation Burnt Frost destroyed the USA-193 satellite at 247 km altitude using a modified SM-3 missile.
India (2019): Mission Shakti destroyed the Microsat-R satellite at 283 km altitude.
Russia (2021): Destroyed the Cosmos 1408 satellite at approximately 480 km altitude, creating over 1,500 trackable debris objects that threatened the ISS.

Co-orbital ASAT: A spacecraft maneuvered into proximity with the target and then collided with it or deployed a projectile. Harder to attribute than direct-ascent weapons because the co-orbital vehicle can be positioned in advance and activated at a chosen time.

Directed Energy Weapons (DEW)

Laser dazzling: A high-power laser directed at a satellite’s optical sensors (star trackers, Earth observation cameras) to temporarily blind them. This does not physically destroy the satellite but can deny capability. Power requirements are moderate (kilowatts) and ground-based laser systems capable of dazzling LEO satellites exist in several nations.

Laser blinding/damage: Higher-power lasers that permanently damage optical sensors or solar cells. Requires megawatt-class lasers or adaptive optics to compensate for atmospheric turbulence. The US, China, and Russia have invested in systems with this capability.

High-powered microwave (HPM): Directed microwave energy that can damage satellite electronics through electromagnetic coupling. Effectiveness depends on the satellite’s shielding and the HPM weapon’s power-on-target. Ground-based HPM weapons face atmospheric attenuation; space-based HPM platforms would be more effective but require significant on-orbit power generation.

Rendezvous and Proximity Operations (RPO)

RPO involves maneuvering a spacecraft close to another spacecraft for inspection, characterization, or interference. Several nations have demonstrated RPO capabilities:

Russia: The Cosmos 2542/2543 inspector satellites approached the USA-245 (KH-11 reconnaissance satellite) in 2020, coming within estimated 160 km for inspection. Russia has also deployed satellites (Cosmos 2504, 2519, 2521) that have maneuvered close to other objects.
China: The SJ-17 satellite has performed multiple proximity operations in GEO, including approaching other Chinese and non-Chinese satellites.
United States: The GSSAP (Geosynchronous Space Situational Awareness Program) satellites conduct regular RPO missions in GEO for space domain awareness.

RPO threat scenarios:

Intelligence gathering: Imaging satellite hardware, intercepting side-lobe emissions, characterizing signal parameters
Electronic attack: Close-range jamming or spoofing of the target’s receivers, command links, or inter-satellite links
Physical interference: Grappling, paint/obscurant spraying on optical surfaces, deploying interference devices
Kinetic attack: Physical collision at close range, harder to attribute than direct-ascent ASAT

Space Debris Weaponization

Deliberately creating debris in orbits used by adversary satellites could deny access to those orbital regimes. The Kessler Syndrome scenario — a cascade of collisions creating a debris belt — represents an existential threat to space operations in crowded altitude bands (700-1,000 km LEO).

Fragmentation weapons: Detonating a warhead near a cluster of target satellites could generate a debris cloud that damages multiple spacecraft. The debris would continue to threaten assets in similar orbits for years or decades.

8. Threat Actor Capability Matrix

The following table maps threat actors to their satellite attack capabilities. Capability is assessed based on publicly known incidents and assessed technical capacity.

Attack Vector	Nation-State	State-Sponsored Group	Criminal Organization	Hacktivist	Insider	Terrorist
GPS jamming (local)	Full	Full	Moderate	Moderate	Full	Low
GPS spoofing	Full	Full	Moderate	Low	Moderate	Low
SATCOM jamming (uplink)	Full	Limited	None	None	Limited	None
SATCOM jamming (downlink, local)	Full	Full	Moderate	Low	Full	Low
VSAT eavesdropping	Full	Full	Moderate	Low	Full	None
Ground segment network attack	Full	Full	Full	Moderate	Full	Low
TT&C station compromise	Full	Moderate	Low	Low	Full	None
Satellite command injection	Full	Limited	None	None	Moderate	None
Supply chain compromise	Full	Moderate	Low	None	Moderate	None
On-board computer exploitation	Full	Limited	None	None	Limited	None
ASAT kinetic kill	Full (select nations)	None	None	None	None	None
Directed energy weapons	Full (select nations)	None	None	None	None	None
RPO inspection/interference	Full (select nations)	None	None	None	None	None
ADS-B spoofing	Full	Full	Moderate	Moderate	Full	Low
Terminal firmware attacks	Full	Full	Moderate	Low	Full	None

Capability legend: Full = demonstrated or readily achievable; Moderate = achievable with investment; Limited = theoretically possible but significant barriers; Low = extremely difficult; None = beyond assessed capability.

Threat Actor Profiles

Nation-State: Full-spectrum capability including kinetic ASAT, SIGINT satellites, ground-based directed energy, cyber operations against ground segments, and supply chain influence. Primary motivation: strategic military advantage, intelligence gathering, deterrence. Examples: the Viasat KA-SAT attack (attributed to Russia’s GRU), China’s 2007 ASAT test.

State-Sponsored Groups: Access to state resources without direct attribution. Capable of sophisticated cyber operations against ground segments, VSAT eavesdropping at scale, and GPS spoofing campaigns. Limited in kinetic and space-based capabilities. Examples: persistent GPS spoofing in conflict zones.

Criminal Organizations: Primarily motivated by financial gain. Capable of VSAT eavesdropping for data theft, ground segment network attacks (ransomware against satellite operators), and satellite service theft (carrier piracy, terminal cloning). Unlikely to invest in space-segment attacks. Examples: maritime VSAT data theft for cargo intelligence, satellite TV piracy.

Hacktivists: Limited technical capability but high motivation for visibility. Most likely to target public-facing satellite operator infrastructure (websites, customer portals) or demonstrate GPS spoofing/jamming for attention. Low capability for space-segment attacks. Examples: targeting satellite operator web infrastructure during geopolitical events.

Insiders: Potentially the most dangerous actor for space-segment attacks because they have legitimate access to command systems, encryption keys, and operational procedures. An insider at a satellite operator, manufacturer, or launch provider could introduce vulnerabilities that persist for the satellite’s entire operational lifetime. Examples: documented insider threat cases in defense satellite programs.

Key Takeaways

The ground segment is the most attacked surface: Despite the dramatic nature of space-based threats, the vast majority of real-world satellite security incidents have targeted ground infrastructure using conventional cyber attack techniques. The Viasat KA-SAT attack is the canonical example.
GPS spoofing is an active, ongoing threat: Civilian GPS spoofing has graduated from academic research to a routinely observed phenomenon in conflict zones, shipping lanes, and near national borders. Galileo OSNMA is the first serious countermeasure, but adoption is in its early stages.
VSAT eavesdropping requires minimal investment: Anyone with a satellite dish, a DVB-S2 tuner, and basic networking knowledge can intercept unencrypted satellite internet traffic. This is not theoretical — it has been extensively demonstrated by academic researchers.
Nation-state capabilities are expanding: The number of states with demonstrated ASAT and RPO capabilities is growing. The space domain is increasingly militarized, and satellite systems are explicitly recognized as legitimate military targets in conflict doctrines.
Supply chain risk is difficult to mitigate: The concentrated, specialized nature of the satellite supply chain creates dependencies that are hard to diversify. Post-deployment verification of space hardware is essentially impossible.
Protocol weaknesses are foundational: Most attack vectors documented on this page exploit the protocol-layer weaknesses analyzed on the Satellite Communication Protocols page. Securing satellite systems requires securing the protocols from the physical layer up.