Cybersecurity for space systems is now a mainstream topic in the space industry when just a few years ago, this was not the case. In the third rendition of ‘10 Defining Moments in Cybersecurity and Satellite,’ space and cyber influencers weigh in on some of the biggest stories in cybersecurity of the past year, and what these events mean for the space industry.

[This article was published exclusively for Space Security Sentinel, a new monthly newsletter at the intersection of cybersecurity and space. Subscribe to the newsletter here.]

SALT TYPHOON

Only one place to start, and one of the most talked about, generational cybersecurity events in recent years. Chinese state-sponsored actor Salt Typhoon infiltrated U.S. telecom providers such as Verizon and AT&T. Greg Falco, assistant professor of Aerospace Security and Autonomy, Cornell University, called it “hands down” the biggest attack. Salt Typhoon was a “worst nightmare” that had been imagined for years coming to fruition, where all major telecommunications providers had been hacked. He added, “This has some interesting implications on the satcom industry given the growth in interest of sat-to-cell.”

Clémence Poirier, senior cyber defense researcher for the Cyber Defense Project with the Center for Security Studies (CSS) at ETH Zurich also believes this could have serious implications for the space sector. “It is frightening to think that there are probably threat actors currently hiding on some satellite network, waiting for the right moment to trigger an attack. Salt Typhoon exploited vulnerabilities in unpatched Fortinet and Cisco network devices and routers. This is exactly what happened to Viasat in 2022,” Poirier said.

Bob Gourley, CEO and co-Founder of OODA added, “Described by some as the most threatening cyber attack in U.S. history, it demonstrated advanced persistence and exfiltration techniques. This incident highlighted vulnerabilities in telecom systems and underscored the strategic importance of securing national infrastructure.”

THE RISE OF AI

2024 was the year AI entered the mainstream. At CyberSat, it was a huge topic of conversation as people from government, the cyber world, and the satellite community talked about the impact of AI in space security networks. Gourley said the rise of AI-augmented threats and defenses “defined the year.” He spoke of how adversaries increasingly leveraged AI for precision phishing, evasion techniques, and automation of attacks, while defenders adopted AI for real-time detection and response. “The key shift from 2023 was the sophistication and scale at which AI was deployed in both offensive and defensive operations,” he added.

Kim Crider, CEO of Elaranova, said that she believed that AI was the number one trend in the cyber world in 2024. She said that there was a growing application of AI to automate, enhance, and personalize various stages of a cyber attack, including identifying vulnerabilities, creating more convincing phishing emails, evading security systems, and adapting attack strategies in real-time, making them significantly more sophisticated and difficult to detect than traditional attacks; essentially allowing attackers to scale their operations and target victims with greater precision and speed.

Vince Walisko, COO Optimal SatCom added, “[We are starting to see] more cyber attacker use of AI to engineer attacks and to create deepfakes. This trend, seemingly, accelerated exponentially from 2023 into 2024.”

QUANTUM STANDARDS

In August last year, The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) announced that it had finalized its principal set of encryption algorithms designed to withstand cyber attacks from a quantum computer. The algorithms announced are specified in the first completed standards from NIST’s post-quantum cryptography (PQC) standardization project, and were ready for immediate use. Gourley hailed this as a “major milestone” as it enabled organizations to begin transitioning to quantum-resistant systems.

He added from a space industry perspective; he believed the significance of having the post-quantum cryptography standards finalized means the industry knows the path forward. “Perhaps more important than the standards is the guidance from the federal government on the requirement to implement them. They should be implemented because it is a smart way to protect current secrets now and far out into the future. But it is also now a requirement for any who will be working with government data, which is most of the space industry these days,” says Gourley. “These standards are very impactful because they will touch almost all systems that have a cryptographic component. This means it is not just a good opportunity to modernize algorithms, it is a good opportunity to modernize old systems.”

US TREASURY HACK EXPOSES FRAGILITY IN SECURITY SYSTEMS

Attacks on government systems and critical infrastructure are becoming a way of life. In December last year, the U.S. Treasury Department reported a “major incident” where Chinese state-sponsored hackers were able to hack their systems. The U.S. Treasury said that “the threat actor was able override the service’s security, remotely access certain Treasury user workstations, and access certain unclassified documents maintained by those users.”

Daniel Gizinski, president of Comtech’s Satellite & Space Communications Segment, highlighted the ambition of attacks on critical infrastructure and the overall ecosystems. He said the U.S. Treasury compromise late in 2024 represented the lengths to which threat actors can go to compromise critical systems, including through third party tools.

“Many satellite systems have a high level of complexity and rely on third party systems — significantly increasing the attack surfaces and highlighting the importance of a holistic approach to security. Truly understanding system boundaries is critical to securing all systems, including satellites. Ensuring that access is not being over-provisioned is key — there will always be zero day vulnerabilities, and adherence to good security principles aids in limiting the blast radius,” he added.

Gizinksi believes the scope, scale, and criticality of attacks like this is massive, and through 2024 he says we are at a point where Pentagon email leaks, major telecom infrastructure vulnerabilities, and the U.S. Treasury hack expose just how “fragile and patchwork our security ecosystem is.”

“The broad scale success of these threat actors represent a meaningful point of concern for many systems that have less sophisticated security systems in place,” he said.

PORT OF SEATTLE UNDER ATTACK

One cyber attack in 2024 that Crider highlighted could have implications for the space community was in August last year when there was a denial of service attack that impacted the Seattle port and airport, heavily disrupting travel for a week. Crider said this kind of attack has serious implications for safety and security of commercial passenger travel and cargo. The Port of Seattle shared details of the Aug. 24 hack in an X post in September of 2024, saying the port identified system outages consistent with a cyber attack, and its staff worked quickly to isolate critical systems.

According to a number of reports at the time, the Rhysida ransomware group was behind the attack that led to widespread and sustained outages at the port, which operates the Seattle-Tacoma International Airport and is one of the busiest ports in the United States. We know that mobility and maritime are key markets for satellite communications. So, cybersecurity in this area is key.

PEACH SANDSTORM

One of the themes of CyberSat last year was the rise in the number of attacks on space-based infrastructure. Every CISO of a satellite company knows there is a target on their back. In a Microsoft threat briefing issued in late August last year, they provided news of how an Iranian state-sponsored threat actor Peach Sandstorm bought a very direct threat to the satellite sector. In the threat briefing, Microsoft said it had observed Iranian state-sponsored threat actor Peach Sandstorm deploying a new custom multi-stage backdoor, which it named Tickler. Tickler has been used in attacks against targets in sectors including satellite, communications equipment, oil and gas, as well as federal and state government sectors in the United States and the United Arab Emirates. Microsoft said this activity is consistent with the threat actor’s persistent intelligence gathering objectives and represents the latest evolution of their long-standing cyber operations.

Microsoft added Peach Sandstorm also continued conducting password spray attacks against the educational sector for infrastructure procurement and against the satellite, government, and defense sectors as primary targets for intelligence collection. In addition, Microsoft observed intelligence gathering and possible social engineering targeting organizations within the higher education, satellite, and defense sectors via LinkedIn.

The theme of more attacks on the space infrastructure is clear. Erin Miller, executive director of Space ISAC, said that throughout 2024, Space ISAC had reported on multiple cyber espionage campaigns targeting aerospace organizations and individuals. Many of these campaigns involved advanced social engineering tactics, targeted phishing lures, and modular backdoors to facilitate espionage and intelligence collection, Miller said.

CROWDSTRIKE

A major Microsoft outage caused by a security update from cybersecurity platform CrowdStrike made major news in July last year. Despite the chaos that this update caused, satellite operators told Via Satellite at the time that they had been unaffected by the Microsoft outage on July 19 that created IT issues in multiple industries around the world and grounded flights.

Microsoft said in a statement that Windows machines using the CrowdStrike Falcon agent were impacted with on-premise and cloud applications including Azure, AWS, and Google Cloud.

CrowdStrike stressed in a statement that it was not a cyber attack. Mac and Linux hosts were not impacted. CrowdStrike identified the issue and issued a fix in the days after. Walisko said this update failure demonstrated just how profound and far reaching the effects of a supply chain attack can be. He said the CrowdStrike update failure demonstrates several types of vulnerability including supply chain, insufficient testing and granting of elevated privileges access that could impact a large universe of systems including critical space infrastructure. Walisko comments that while the CrowdStrike update failure appears to have been caused by human error, if there were an intentional attack on such a platform, interruptions could be introduced into many systems including space-based systems and space-support systems. He added, “This event serves as a clear warning to space system operators to redouble vigilance and efforts to isolate their systems controlling space assets from supply chains provided applications, kernels or utilities. Safeguards against this type of event include further isolation of critical systems, testing in sandbox environments, and introduction of new code into systems one level at a time.”

ARREST OF PAVEL DUROV

A story that made global headlines was the arrest of Telegram CEO and Founder Pavel Durov in France last year. Durov has been charged in relation to Telegram allowing terrorists and extremists to use Telegram seemingly out of reach of the authorities. Poirier said, “The arrest of Durov by French authorities had a significant impact on cyber threat intelligence as many hacktivist groups, which communicated on the platform, either switched their channels to private, deleted their messages, or move to another platform. It made it more difficult to track these groups, including those that target the space sector.”

CYBERTRUCK ATTACK

One of the most talked about news stories took place on Jan. 1 of this year but is worthy of inclusion here. The incident was the Tesla Cybertruck bomb that went off outside the Trump International Hotel in Las Vegas on New Year’s Day. The key part of the story was the person involved in this used ChatGPT to plan the New Year’s Day attack. Falco said this had particular significance because it shows how novices can now easily learn to create attacks.

TAKEAWAYS FROM CYBERSAT

CyberSat had a landmark year in 2024. We had a two-track event for the first time, and a more technical track highlighting use cases and specific technical issues. In terms of key takeaways from CyberSat this year, Gourley said, “The urgency of securing satellite ground systems was a key theme, with real-world case studies showcasing vulnerabilities in this critical infrastructure. Experts emphasized the importance of end-to-end cybersecurity for satellite systems and greater collaboration between governments, private companies, and cybersecurity professionals.”

Gizinski said satellite will continue to be a target for attacks, both direct and indirect. He added, “There is a tremendous reliance on satellite, not just for communications but control of energy systems, pipelines, and water management that make satellites both a broad access point into these systems, and an opportunity to impair system function by removing the communication link. The sophistication we are seeing in these attacks should definitely encourage satellite operators to think hard about protections and controls on their systems.”

Read previous renditions of this list: