When the Space Force discusses the cyber threats faced by the service or the commercial satellite providers it uses, it typically frames the issue as a nation-state one: attacks from an adversary designed to cut off communication links and other space-based systems that U.S. forces on the ground rely upon, as the Russians did to Ukrainian Viasat terminals just before their full-scale invasion in 2022.
But for cyber defenders in the commercial space sector responsible for day-to-day operations, the reality is rather different: Like other providers of vital services—hospitals, universities, and local governments—satellite companies face a daily onslaught of mostly low-level cyberattacks designed to install ransomware or facilitate other financially motivated crimes.
“The most common attack type that we see is phishing,” said Joel Francis, lead analyst in the watch center run by the Space Information Sharing and Analysis Center, an industry group that shares cyber and other threat and vulnerability information across the commercial space sector. The Space ISAC compiles reporting from its member companies, including many DOD vendors, to track trends in cyber threats.
Phishing emails are designed to get the recipient to click on an infected link or attachment, which will install malware on their device. Automated programs designed for mass commercial emailing allow even unskilled hackers to launch multiple large-scale phishing campaigns. And other black market toolkits offer easy-to-use hacking software for hire.
“It’s cybercrime as a service,” said Francis.
As a result, he added, “the phishing events that we’re looking at are mostly not extremely targeted.” The campaigns are broad, spanning multiple business sectors and the techniques and tools are by and large commoditized, rather than bespoke or specially crafted.
Financially motivated cyber criminals target providers of critical services because they’re seen as more likely to pay, explained Norm Laudermilch, chief information security officer of Vantor, formerly called Maxar Intelligence. Vantor provides space-based intelligence to the National Geospatial-Intelligence Agency, the U.S. Army, and other government and commercial customers around the world and is a member of the Space ISAC and active contributor of threat intelligence to the watch center.
The question criminals ask themselves, said Laudermilch, is “Who’s the most likely to pay the ransom?”
But cybercrime groups aren’t the only ones using phishing against space sector companies. More carefully crafted and targeted emails—known as spear phishing—are often a characteristic of even the most sophisticated cyber campaigns.
Phishing is “assumed to be a very low-sophistication attack, that most large organizations [would say] they’re not worried about,” Francis said. But even the handful of more sophisticated cyber campaigns the Space ISAC had identified over the past year specifically targeted at the space sector started with phishing attacks, said Francis.
“When we’re looking at these campaigns, we’re looking at the intent from different threat actors. We’re trying to understand what are the actual impacts of these phishing attacks, what are they aiming to achieve?” Francis said at Space ISAC’s Value of Space Summit in June.
Vantor sees a range of threats from low-level cybercrime wannabes to nation-state actors and runs intelligence collection operations against all of them, Laudermilch told Air & Space Forces Magazine.
Vantor’s Orion Threat Intelligence Team, recruited from former military and intelligence operatives, is active on the dark web—a region of the internet accessible only through special encrypted tools like the Tor browser—he said.
Most threat groups are loose networks of hackers, who only know each other online and communicate via password-protected dark web forums or encrypted messaging apps like Telegram, so it’s possible for intelligence analysts to infiltrate and monitor them.
The Orion team “speaks multiple languages, the languages of our threat actors. They live in the deep dark web. They live in hacker forums. They operate with multiple personas, tracking what these threat actors, both nation state and cybercrime, do on a daily basis,” he said.
Financially motivated cybercrime threat groups are the most active on Telegram and the dark web. But nation-state-aligned threat actors use those forums to maintain ties with cybercrime groups they might use as proxies, and many engage directly in financial cybercrime as a side hustle. Even Western intelligence agencies maintain a presence, watching the same hacker groups the Vantor intelligence team does.
Threat groups will often discuss newly published software vulnerabilities, including the companies they believe might be hacked by exploiting them, in these forums, Laudermilch said, providing advance clues about their targets.
The Orion team is all-source, Laudermilch said, fusing multiple intelligence streams including “social media narrative intelligence” derived from open sources. “We’re watching what the bad guys are saying about us and what their cohorts are saying about us, and then we’re watching what the botnets run by the major nation-state actors are doing to amplify those messages.”
Nation-state adversaries operate campaigns in multiple domains, he said: cyber, the electromagnetic spectrum, and the information ecosphere. “They’re not just operating in one domain at a time, like the cyber domain or the [radio frequency] domain. They’re also operating and carrying out massive campaigns on social media, and so we’re fusing those data sources together” to get a complete picture of the threat.
