The space industry is subject to a dynamic range of threats, spanning disruptive cyberattacks, electronic warfare, and hazards to orbiting satellites. As in 2024, the sector remains exposed to both opportunistic and targeted campaigns, but in 2025 these pressures are amplified by intensifying geopolitical tensions. Space stands at a critical juncture, where its role in national security, defense, and critical infrastructure are becoming inseparable. As space services expand to support global populations and economies, their strategic value also makes them a more prominent and contested target in the broader security environment.
The Cyber Threat Landscape for Space:
In 2025, the space sector faced a broad spectrum of cyber threats. While discussion often centers on emerging and unconventional attack vectors, most reported incidents have involved more established tactics, including distributed denial-of-service (DDoS) attacks on websites and external resources, ransomware-based extortion, and data breaches facilitated by initial access brokers. From January to August 2025, roughly 117 incidents were publicly reported, reflecting a 118 percent increase over the same period in 2024. These figures are derived from publicly reported incidents and therefore likely represent only a portion of actual space-related targeting.
Quantifying the impact of broader campaigns is more challenging, as research reports typically anonymize victims and reference affected sectors rather than individual organizations. Because of its upstream and downstream dependencies, the space industry is frequently grouped with defense, communications, and aerospace, making attribution of specific impacts more complex. This overlap is evident in multiple espionage campaigns observed over the past year. The Salt Typhoon campaign, for example, began as a telecommunications operation but ultimately extended to a satellite communications provider. Similarly, Microsoft identified Void Blizzard, a state-linked actor conducting espionage against aerospace and defense contractors, while Bitter APT targeted Pakistan’s largest telecommunications company, which operates satellite communications infrastructure amid regional tensions with India. Conflict-driven cyber activity has also intensified, as seen in DomainTools’ discovery of a large-scale phishing campaign tied to the Russia-Ukraine war, leveraging spoofed domains to harvest credentials from aerospace and defense organizations. Further underscoring the cross-sector risks, Proofpoint researchers reported a sophisticated campaign in the UAE by “UNK_CraftyCamel,” which deployed a novel backdoor against aviation, satellite communication, and transportation networks.
Taken together, these incidents illustrate how geopolitical conflict, state-sponsored espionage, and custom-built malware are converging to shape the threat environment for the space industry, and more critically, how sophisticated cyber campaigns can reverberate across interconnected sectors, amplifying risks far beyond their initial targets.
Heightened Geopolitical Conflicts Drive Threats to the Space Industry:
The escalation of geopolitical conflicts in the Middle East has significantly shaped the cyber threat landscape, with politically aligned hacktivist groups intensifying their focus on the defense industrial base, aerospace, and space-related entities. The Israel-Iran conflict in particular has amplified this activity, as cyberspace becomes a parallel battleground to conventional hostilities. Between June 12–15, 2025, Radware reported a 700% surge in cyberattacks against Israeli targets, a figure later corroborated by Flashpoint, reflecting the sheer scale of disruption. These operations span destructive malware, disinformation campaigns, and high-noise tactics such as DDoS attacks and web defacements.
Researchers tracking the conflict estimate that between 80 and 150 groups were active participants, with the majority identified as pro-Iranian or pro-Palestinian hacktivists. While many operations remain low-level, such as website defacements, denial-of-service attacks, and social media amplification, they nonetheless contribute to a heightened visibility of the conflict and increased pressure on targeted industries. Aerospace and defense organizations have been frequent victims. Groups like Mr Hamza claim to have targeted 25 aerospace organizations, while GhostSec reported intrusions into VSAT terminals, and ArabianGhosts have claimed responsibility for attacks on Israeli satellite operators. Other groups, including Cyber Unit 89 and Wearerootsec, have alleged the theft of sensitive defense data and credentials tied to defense contractors operating in the space industry.
These campaigns illustrate a broader geopolitical message: hacktivism is being leveraged not only to disrupt but also to erode confidence in the security of critical technologies tied to national defense and space operations. As these groups increasingly repost and amplify each other’s claims on platforms such as Telegram, X, and TikTok, the information warfare element becomes as important as the technical disruption itself. With state-backed groups like Predatory Sparrow and Handala also engaging in more complex attacks, including extortion and targeted infrastructure disruptions, the convergence of hacktivism and state interests signals an elevated and persistent risk to the defense, aerospace, and space sectors.
Supply Chain Attacks, Weaknesses, and Enumerations:
Cyber operations targeting the defense, aerospace, and space sectors increasingly exploit weaknesses in supply chains and widely used enterprise technologies, creating cascading risks across interconnected organizations. These attacks rarely require direct exploitation of space platforms themselves; instead, adversaries weaponize third-party services, cloud infrastructure, and enterprise software to gain access to sensitive data and disrupt operations.
One such example is the ransomware campaign tracked as Codefinger, identified in January 2025, which targeted Amazon Web Services (AWS) S3 buckets, which are often used as a critical storage technology for satellite imagery, sensor data, and communications logs. By leveraging AWS’s customer-managed encryption keys, Codefinger encrypted stolen datasets and demanded ransom for the decryption keys. The campaign highlights how cloud-native features, when misused, can be repurposed into extortion tools against improperly secured but mission-critical space industry resources.
Supply chain compromise has also proven to be a persistent vector, as demonstrated by the TIDRONE campaign, initially disclosed in 2024 and later attributed by Trend Micro to the state-sponsored actor Earth Ammit. By exploiting vulnerabilities in enterprise resource planning (ERP) software, Earth Ammit successfully infiltrated downstream satellite operators and defense suppliers. In May 2025, the Interlock ransomware group extended this trend by directly targeting National Defense Corporation (NDC) and its subsidiary AMTEC, exfiltrating an estimated 4.2 terabytes of sensitive data, including customer files tied to global defense and space stakeholders. Even if overstated, such leaks can create reputational harm, erode trust in prime contractors, and expose downstream partners to further exploitation.
Finally, the ToolShell exploit chain, disclosed by Microsoft in July 2025, demonstrated how ubiquitous enterprise vulnerabilities can be rapidly integrated into advanced persistent threat (APT) playbooks. Multiple state sponsored groups weaponized incomplete patches in on-premises SharePoint servers to gain remote access and code execution, with reporting indicating that a host of nation-state and cybercriminal actors engaged in attack that generated impacts to a variety of high-tech industries. Together, these incidents highlight how adversaries exploit both technological dependencies and vendor relationships, transforming supply chain weaknesses into persistent attack surfaces for the space industry and its partners.
The Recurring Target of GNSS: Electronic Warfare Generates Interference, Jamming, and Spoofing:
Throughout late 2024 and into 2025, geopolitical conflicts have served as a catalyst for increased impacts on Global Navigation Satellite Systems (GNSS). Major conflicts in Ukraine, the Middle East, and India / Pakistan feature electronic warfare designed to deny, degrade, disable, and disrupt GNSS. While this is not a new phenomenon, the continued impact of both purposeful and inadvertent interference, jamming, and spoofing (IJS) continues to jeopardize the functionality of GNSS globally.
GNSS IJS events indicate that operators across maritime, aviation, and telecommunications experience harmful impacts that seek to disrupt global supply chain initiatives, fuel hybrid warfare activities such as information warfare, and threat aviation flight safety. One notable development across geopolitical events is the phenomenon of ‘signal hijacking.’ Throughout the conflict between Ukraine and Russia, there have been multiple reports of this activity to broadcast nefarious propaganda across various television channels. The impacts of GNSS IJS have extended to maritime as well, with reports of vessels running aground in the Baltic Sea / Gulf of Finland, the Red Sea, and the Strait of Hormuz. Additionally, multiple aviation operations have encountered GNSS IJS, threatening flight safety. In one instance still under investigation, this potentially caused a commercial flight to enter a wartime conflict zone, being targeted by Russian air defense systems.
In turn, this has sparked an outlash across multiple European Union nations, the United Nations, the International Telecommunications Union, and more regarding harmful interference impacting satellite operations. More so than ever, within the previous 12 months, nations are beginning to attribute Russia as the source of GNSS IJS and start a call for action to end this attack on satellite systems. In turn, Russia has formally notified international regulators that it will view satellites suspected of supporting Ukraine’s military as continued targets for signal jamming.
Spacecraft Maneuvers & The Dynamic Orbital Environment:
Spacecraft maneuvers exemplify a highly dynamic on-orbit environment driven by multiple Rendezvous & Proximity Operations (RPO) and obfuscated satellite separation events. The Secure World Foundation notes that 12 countries are engaged in counterspace capabilities development, but only nondestructive capabilities are being used in active military conflicts. Supporting this, assessments from the Center for Strategic & International Studies (CSIS) outlines that both Russia and China are engaged in several proactive counterspace activities aimed at militarizing space. Similarly, a top Space Force general and the U.S. Department of Defense have reported that, Chinese and Russian satellites are both performing ‘dogfighting’ maneuvers and rehearsing ‘attack and defense’ tactics in space. Satellites attributed to Russia’s highly secretive ‘Nivelir Program’ have been linked to many concerning maneuvers and tactics on-orbit.
Russia launched a trio of satellites under the ‘Kosmos’ designation (2581, 2582, 2583) that performed multiple maneuvers and engaged in a multi weeklong RPO that was speculated to be linked to offensive and defensive testing. In addition to this, Russia had two satellite separation events, meaning that two distinct Russian satellites released unidentified objects into orbit. Furthermore, Russia launched a satellite on 23 May 2025 into a co-planar orbit with the U.S. government reconnaissance satellite, USA 338, marking the fourth time in five years that a Russian military satellite has been placed in close orbital proximity to a U.S. military satellite.
China completed their ‘Four Heavenly Kings’ network associated with their infamous TJS constellation known to support military missions. It is seen by Western analysts as potentially carrying out classified missions including signals intelligence, early warning missions and satellite inspection activities to support China’s military. Additionally, China has conducted the nation’s first on-orbit refueling / docking mission between SJ-21 and SJ-25, generating concern that a broader mission / test could be occurring. SJ-21 has demonstrated the capability to grab another satellite with a robotic like extension arm and drag it to the graveyard orbit.
Spacecraft Launch and Reentry Exacerbates the Space Environment:
The European Space Agency notes that within certain heavily populated altitude bans, the density of active objects is now the same order of magnitude as space debris. Similarly, the Indian Space Research Organization’s 2024 Space Situational Awareness assessment noted that 2024 witness the highest number of launches and some of the largest debris breakup events since the beginning of the space age.
The United States and China are the forefront leaders of space launch operations. Both nations are currently on pace to have their highest launch ratio per year in 2025. In turn, this has generated multiple instances of space launch operations encountering malfunctions leading to uncontrolled debris reentering, and satellite breakup events on-orbit. For example, there were three major breakup events over the previous 12 months, generating an estimated 700 new pieces of debris on-orbit. As a result, the International Space Station (ISS) has maneuvered on two separate occasions to avoid space debris.
2025 alone has seen six significant events regarding space launch operation failures generating uncontrolled debris reentry events. Currently there are over 2,300 rocket bodies in orbit, with this number increasing by 30 – 40 per year. Uncontrolled reentries in 2024 across payloads, rocket bodies, and debris totaled 2,104. Launches from Russia, China, and the United States have generated multiple airspace concerns regarding the generation of uncontrolled debris events to due launch malfunctions and are likely to continue as these nations expand space operations.
While satellites reenter nearly daily, the concern stems from those that reenter uncontrolled. There is a short lead time for international agencies to implement actionable alerts and warnings. For example, a Russian satellite spent 52 years on-orbit and reentered uncontrolled in May 2025. Prediction estimates for uncontrolled debris reentry events can be off even hours leading up to the reentry window, as many variables and factors are at play that can contribute to these events being catastrophic.
