Ransomware Attacking Satellite

Ransomware groups and hacktivists are actively targeting satellite and space industries. 

SATCOM Networks and Space Industry Devices are becoming an increasingly important component of the Critical Infrastructure of any nation as they are increasingly integrated into the operations of the Space Industry.

Since SATCOM services are becoming an increasingly critical part of business, it has become obvious that disruptions could severely impact the security and economy of the nation.

In the aerospace and satellite industry, ransomware attacks can damage a number of organizations, leading to delays in space program development and cancellation.

The data leak from space programs can present a strategic advantage to attackers by giving them complete access to a program.

Ransomware groups Targeting Satcom Receivers & Modems

There has been an increase in attacks on the space sector recently due to recent geopolitical developments, as reported by the Cyble Research Intelligence Labs (CRIL).

Space and SATCOM industries have been hit hard with ransomware attacks over the past few months, both directly and indirectly.

Additionally, hacktivist groups such as GhostSec that are actively involved in exploiting satellite receivers are also seen to be more active in attacking them.

Here to specify the following elements of the receiver, the GNSS (Global Navigation Satellite System) receiver interprets the signals received from a group of satellites orbiting the Earth to receive and process them:-

  • Position
  • Velocity
  • Time

While the use of GNSS receivers is done by multiple entities like Military and Government organizations, commercial businesses, and individuals in a multitude of applications, and it includes:-

  • Navigation for ground
  • Sea
  • Air transportation
  • Surveying
  • Mapping
  • Search operations
  • Rescue operations
  • Scientific research

A member of GhostSec shared a Tweet on March 14, 2023, that is linked with their attack on GNSS Receiver.

There are multiple GNSS receivers from several vendors found to be exposed over the internet, and below are the details of exposure for 5 of the most commonly used GNSS receivers in the world:-

  • GNSS-1 – Has a total of 3,641 Internet-Exposed instances.
  • GNSS-2 – Has a total of 4,864 Internet-Exposed instances.
  • GNSS-3 – Has a total of 899 Internet-Exposed instances.
  • GNSS-4 – Has a total of 343 Internet-Exposed instances.
  • GNSS-5 – Has a total of 28 Internet-Exposed Instances.

During their core investigation, several vulnerabilities were detected in internet-exposed GNSS systems by the cybersecurity analysts at Cyble.

While in the case of satellite modems, an attacker can damage satellite modems in a variety of ways. One of the worst is corrupting the modems themselves.

As a result, critical infrastructure sectors could be damaged, and Government or Military secrets could be accessed. 

Hacktivists claimed to have created custom programs as part of the attacks against MegaFon, during which they attempted to thwart predefined operations performed by the router.

As of now, cybersecurity researchers have asserted that several Newtec Satellite modems are exposed to the internet, and their count is about 296.

Besides GhostSec, Lockbit 3.0 is also an emerging and prevalent satellite and space industry threat. As there are already several instances, have been reported in which Lockbit has been found to be targeting and compromising several companies related to this industry.

Here below we have mentioned the companies:-

  • Karnataka State Remote Sensing Application Center
  • Maximum Industries
  • Micos Engineering GmbH
  • Hong Kong Engineering Company Limited

Impacts of corrupted GNSS receivers

Here below, we have mentioned all the severe impacts that could occur if the GNSS receivers are manipulated or corrupted by the threat actors:-

  • Loss of Positioning, Navigation, and Timing (PNT) Accuracy
  • Disruption of Communications
  • Safety Risks
  • Financial Losses
  • Cybersecurity Risks

While apart from this, it’s believed that the “CTI operation and maintenance management system software” could be the one that GhostSec targets.


Here below, we have mentioned all the recommendations provided by the security researchers:-

  • Conduct a thorough risk assessment to identify potential threats and vulnerabilities within the SATCOM environment.
  • SATCOM systems should be protected from unauthorized access by implementing strong access controls.
  • Over SATCOM networks, protect sensitive data with encryption technologies.
  • Protect the SATCOM system from unauthorized access by installing firewalls and intrusion detection systems.
  • To address known vulnerabilities, SATCOM devices should be updated and patched regularly.
  • Enhance the security of your user login by implementing two-factor authentication.
  • SATCOM equipment and systems should be restricted to a limited number of users.
  • Make physical security a priority by implementing the necessary measures.
  • Ensure that all SATCOM equipment and devices are configured securely.
  • Staff accessing SATCOM equipment and systems should receive regular security training.
  • Handle security breaches and other emergencies with a comprehensive incident response plan.
  • Make sure security policies and procedures are regularly reviewed and updated to ensure they are effective.

Building Your Malware Defense Strategy – Download Free E-Book

Also Read:

Royal Ransomware Made Upto USD 11 Million Using Custom-Made Encryption Malware.

Dish Network Hacked – Ransomware Attack Causes Multi-Day Outage

The City of Oakland Targeted by Ransomware Attack – Severity Unknown

New Mimic Ransomware Abuses Windows Search Engine to Look Files for Encryption

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.