
The Orbital Internet
In February 2022, one hour before Russian ground forces crossed into Ukraine, a cyberattack disabled Viasat's KA-SAT network across Europe. The attack — later attributed to Russian military intelligence (GRU) by the EU, UK, and US governments — deployed wiper malware (AcidRain) to satellite modems, bricking tens of thousands of terminals. The immediate target was Ukrainian military communications, but the blast radius extended to German wind farm control systems, French emergency services, and internet access across Central Europe.
This single incident demonstrated a reality the space cybersecurity community had warned about for years: satellite internet infrastructure is both militarily significant and deeply fragile. Three years later, the attack surface has expanded dramatically — yet the defensive posture of the industry remains inadequate.
Attack Surface Taxonomy
A satellite internet constellation presents attack surfaces at four distinct layers, each with unique constraints and threat models:
Ground Segment
Ground stations, network operations centers, and user terminals represent the most accessible attack vector. The Viasat attack exploited a VPN appliance vulnerability in the ground segment management network — never touching the satellites themselves. User terminals, manufactured at scale with cost optimization prioritized over security hardening, present consumer-electronics-grade attack surfaces connected to space-grade infrastructure.
8,000+
Active LEO satellites
Internet constellation assets in orbit
50,000+
Projected by 2030
Planned constellation expansion
0
International frameworks
Governing commercial satellite cybersecurity
Space Segment
The satellites themselves run software — and software has vulnerabilities. Unlike terrestrial systems, orbital assets cannot be physically accessed for remediation. Firmware updates must be transmitted via radio frequency uplinks, creating both a patching mechanism and a potential attack vector. A compromised command-and-control channel could theoretically enable an attacker to alter orbital parameters, disable transponders, or modify traffic routing at the constellation level.