10 Defining Moments in Space and Cybersecurity in 2025

2025 was a year of change in cybersecurity, and every year feels more tumultuous than the previous year. Every year is now punctuated by high-profile incidents with well-known companies being successfully targeted, and massive data breaches taking place. Also, since we launched CyberSat almost t10 years ago, the conversation about cybersecurity for space systems has become mainstream.

It was also an eventful year for CyberSat this year. In the six weeks prior to CyberSat, there was a U.S. government shutdown, which led to big changes in the program. A number of key U.S. government speakers were only able to confirm at the last minute, given the shutdown only ended two working days before the CyberSat. But, despite the volatility and a fluid program, attendees turned up to CyberSat in the hundreds, yet again showing how important this topic and event have become to the community.

Here, we pick our 10 defining moments in space and cybersecurity for 2025.

NRO Launches Space Cyber Program at CyberSat

At CyberSat in November, the National Reconnaissance Office (NRO) made a major announcement. It said it was establishing a space cyber program to serve as the central hub for space cyber activities across the agency as of Oct. 1. Johnathon Martin, the acting deputy director of the NRO’s Office of the Chief Architect and the incoming deputy director of the NRO Space Cyber Program, confirmed this during CyberSat. In a story published in Defense Daily and Via Satellite, Frank Wolfe of Defense Daily covered the NRO’s plans.

The new space cyber program is built on three pillars. “First, we’re establishing clear strategic priorities for space security,” Martin said. “Second, we’re accelerating the integration of cybersecurity capabilities into our space systems. Our team is working directly with program offices to bake cybersecurity and design processes from day one, not as an afterthought. We’re ensuring the bar is high, that programs have what they need to be successful and reach the criteria, and ensuring that they do. We’re doing this while minimizing system complexity and without hindering our acquisition and operational tempo. Third, we’re flattening decision making hierarchies. The NRO chief information security officer has been named the NRO’s space cyber executive.”

The NRO’s Space Cyber Program will have a direct line to Cybersecurity and Infrastructure Security Agency (CISA). Its scope will tie together all aspects of space cyber for policy and governance, R&D, engineering, acquisition, and operations, Martin said.

Ukraine Confirms Russia Space Cyber Attack

Russia’s invasion of Ukraine has been going on almost four years and a key element of this war has been the use of cyber attacks to gain supremacy. This shows no sign of slowing down in 2026. One of the key incidents in 2025 relates to the confirmation of a successful cyber attack conducted by Ukraine against Russia in 2023. A cyber attack took place against Russia’s Dozor-Teleport, but was only confirmed last year.

In a column published in October by Via Satellite, Clémence Poirier, senior cyber defense researcher for the Cyber Defense Project of the Center for Security Studies (CSS) at ETH Zurich talks about this. In August, the Ukrainian Cyber Alliance (UCA) broke its silence, admitting it was behind the attack all along. Poirier said the revelation exposes not just the murky world of cyber self-attribution, but also the dangerous entanglement of hacktivist groups, state intelligence services, and the fragile infrastructure of the space sector. Communication about an attack is sometimes as important as the attack itself.

Poirier said this confirmation of the cyber attack against Russia’s Dozor-Teleport conducted during the Wagner coup of 2023 brought rare, concrete, and important information regarding cyber attacks against satellite networks in the Russo-Ukrainian war. She added, “It provided details about the tempo of cyber conflict against space systems, the existence of tit-for-tat operations, attribution methods, and the organizational set-up of non-state actors, who are working as sub-contractors for governments.”

Don’t Look Up

Just prior to CyberSat this year, a team of researchers at UC San Diego (UCSD) and the University of Maryland (UMD) revealed shocking details about how easy it was to acquire customer data from satellite systems lacking in the appropriate levels of encryption. The research paper “Don’t Look Up” sent shockwaves through the satellite community when it was released. For three years, the UCSD and UMD researchers developed and used an off-the-shelf, $800 satellite receiver system on the roof of a university building in San Diego to pick up the communications of Geosynchronous (GSO) satellites in the small band of space visible from their Southern California vantage point. By simply pointing their dish at different satellites and spending months interpreting the obscure — but unprotected — signals they received from them, the researchers assembled an alarming collection of private data.

“It just completely shocked us. There are some really critical pieces of our infrastructure relying on this satellite ecosystem, and our suspicion was that it would all be encrypted,” says Aaron Schulman, a UCSD professor who co-led the research. “And just time and time again, every time we found something new, it wasn't.”

Daniel Gizinski, president of the Satellite & Space Segment of Comtech said the study should be “mandatory reading for anyone working in satellite, even if cyber isn’t part of their job.”

“The amount of basic cyber hygiene not in use on a number of key satellite systems, which exposes everything from enterprise networks, in-flight connectivity, and even cellular backhaul to anyone with a satellite dish and a basic understanding of demodulation I think helps build an appreciation that we have a long way to go in satellite cybersecurity,” Gizinski added.

The $2.6 Billion Jaguar Land Rover Cyber Attack

There are certain cyber attacks that go far beyond the sectors they operate in, and send shockwaves throughout the cyber community. Perhaps the biggest one in 2025 involved Jaguar Land Rover (JLR), the U.K. automotive manufacturer. The attack has been described as the biggest cyber attack in the U.K.’s history.

The U.K. Cyber Monitoring Centre (CMC) researched the attack and reported it caused the U.K. a financial impact of 1.9 billion pounds ($2.6 billion), impacting 5,000 U.K. organizations. The attack showed the vulnerability of complex supply chains and what can happen when an attack like this is successful and the ripples it can cause throughout the entire supply chain. The CMC is an independent, non-profit organization responsible for analyzing and categorizing cyber events that impact U.K. organizations.

Poirier said although this was not a space company, this example shows that production lines can be greatly impacted by cyber incidents and it could definitely happen to a satellite manufacturer. A scenario like the Australian company NewSat, which ended up going bankrupt because of a cyber attack, is definitely something that will occur in the future, she said.

Laudermilch added that the JLR attack shows that cyber attacks can have massive impacts to national economic output and supply chains. He adds, “This is particularly scary for space technology supply chains! Also highlights how ransomware and disruptive malware can affect real-world manufacturing and logistics at scale.”

SK Telecom – Major Telco Suffers Major Incident

SK Telecom is one of the largest telcos in Asia and has close to 30 million mobile customers. In 2025, the company suffered a major incident where a successful cyber attack, putting data at risk for close to 27 million customers. With our reliance on wireless communications and our devices, any incident here is keenly felt. Bob Gourley, CEO of OODA, said of this incident, “The SK Telecom breach and continued impact of previous years breaches into U.S. telecom have shown there should be no confidence in the ability to communicate with privacy over the global telecom infrastructure (to communicate in private requires special attention to encryption). The SK Telecom breach itself provided massive quantities of authentication keys and data on over 27 million users and their devices.”

SK Telecom put a statement in April saying as a result of this incident it was to launch the Information Protection Innovation Plan, investing 700 billion South Korean won ($475 million) over the next five years to build a world-class information protection system. Interestingly, this initiative will be guided by the U.S. National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF), and will align with the highest cybersecurity standards. SK Telecom aims to lead Korea in cybersecurity by 2028 and establish a globally recognized security system within five years.

AI, AI, and More AI

At most cyber events in 2025, one topic dominated more than any other, and that was the role that AI was playing in a new wave of cyber attacks. Vince Walisko, COO of Optimal Satcom, said that the use of AI in formulating and executing attacks was the number one trend we saw in 2025. He added, “Some AI systems were used against themselves through instructions to reveal information and configurations.”

Poirier added that in 2024 AI was primarily leveraged for reconnaissance and sophisticated phishing, in 2024 threat actors began operationalizing AI as part of offensive campaigns. She added, “Although there is no example in the space sector yet, in 2025, Promptlock was discovered as the first malware which relied on AI during the execution and dynamically changed forms throughout the operation to evade detection. AI was not just used before the attack. At some point, it is likely that offensive AI will fight each other to defend and break into satellite networks.”

Gourley also said he thought that the number one cybersecurity trend in 2025 was the operationalization of AI on both sides of the arms race. He said that 2025 was the year where AI agents and early multi-agent/agentic AI systems moved from hype to deployment in both security operations and offensive tradecraft.

He added, “This leads to a prediction for space-cyber in 2026: Consider the breaches and agentic AI trends captured above. It leads to a scenario where new forms of attack are possible. In 2026 it is very likely that a publicly visible, space-linked cyber operation will cause visible service degradation in a major commercial constellation. This could come after a cyber campaign targets a ground segment or cloud based mission management, or perhaps even on orbit technologies.”

Norm Laudermilch, CISO of Vantor, added that where 2024 was about early experimentation with AI-enhanced threats, 2025 saw AI integrated into real attack operations at scale, turning it into a core driver of attacker capability rather than a speculative threat.

China and North Korea

At the start of 2026, Taiwan’s National Security Bureau revealed some shocking statistics related to information security incidents in 2025. It said in a press release issued at the start of the year, that, on average China’s cyber army launched over 2.6 million intrusions attempts per day targeting Taiwan’s critical infrastructure. Nine sectors were mainly targeted. These include: administration and agencies; energy; communications and transmission; transportation; emergency rescue; hospitals; water resources; finance; science and industrial parks; as well as food. The number of cyberattacks represented a six percent increase compared to 2024.

The bureau said that China would ramp up hacking activities during Taiwan’s major ceremonies. For example, it said China’s cyberattacks peaked in May last year, which was the first anniversary of President Lai’s inauguration.

It said the cyberattacks conducted by China’s cyber army involved four major tactics, hardware and software vulnerability exploitation, distributed denial-of-service (DDOS), social engineering, and supply chain attacks. The bureau said in particular, attacks exploiting hardware and software vulnerabilities accounted for more than half of China’s hacking operations.

Laudermilch said, “This shows that strategic, persistent cyber campaigns are aligned with military/political activity and have moved beyond isolated breaches into sustained hybrid warfare tactics. In my mind, this is proof that cyber is the new battleground and puts our space systems squarely in the crosshairs as geopolitics constantly evolve and change.”

North Korea has long been seen a major player in cyber, and has some of the most advanced cyber capabilities out there. Joel Francis, Space ISAC Watch Center lead, highlighted the rise of the DPRK IT worker threat as a key new tactic deployed throughout 2025. Throughout 2025, North Korean-linked ‘IT worker’ operations emerged as one of the most impactful and persistent cyber-enabled threats, blending insider access, fraud, and espionage. DPRK operators successfully infiltrated Western and Asian technology companies by posing as remote contractors, gaining legitimate network access, handling sensitive code, and in some cases facilitating follow-on intrusions or data theft. He added, “This activity was significant not only for its scale — impacting hundreds of organizations — but also for challenging traditional threat models by blurring the line between insider threat, nation-state espionage, and financial crime, highlighting a long-term strategic risk to global technology supply chains.”

The Era of Space Collaboration Appears to be Over

One of the key themes of CyberSat this year was that the days of space not being a contested domain are now over. Poirer believes we may now have even gone beyond that point. She said, “I would go even space being a contested domain. I believe we will soon see persistent engagement in orbit. The doctrine of persistent engagement emerged in cyberspace in 2018 to describe continuous offensive operations, sustained contact with adversaries, and proactive disruption of threats beyond national networks. In space, we are starting to see persistent engagement in the form of regular in-orbit inspections of adversary satellites and constant space maneuvers.”

Gizinski said that about five threat actors and Advanced Persistent Threat (APT) groups have targeted satellite communications technology, with others having conducted attacks as well. He says these attacks include exploiting legacy protocols, insecure firmware, and unpatched systems to gain access to sensitive data and disrupt operations.

Felipe Fernandez, CTO of Fortinet Federal, agreed that space is becoming a more contested domain, and there will be novel threats to that environment. He said he suspects the same threat vectors that plague traditional networking and infrastructure providers/users will impact the space domain as well. He added, “And perhaps Space participants need to prioritize mitigating these threats due to the inability to easily replace any lost assets. Focusing on software supply chain security, physical and cybersecurity of the ground segment, and of course establishing governance and rules for people with privileged access is paramount to realizing the benefits of the new space capabilities without taking unnecessary risks.”

Cloudflare Outage is Global News

Major internet infrastructure firm Cloudflare suffered a major incident in October last year which led to a number of high-profile sites such as ChatGPT and X go down, in a story that made headlines throughout the world. It showed the fragility of communications systems and their reliance on companies such as Cloudflare. Walisko said this Cloudflare outage that incapacitated many websites, cloud systems, and other systems on the internet demonstrated the far-reaching implications an outage can have.

Initially, Cloudflare suspected the symptoms it was seeing were caused by a hyper-scale DDoS attack. However, it later revealed that instead, it was triggered by a change to one of its database systems' permissions which caused the database to output multiple entries into a ‘feature file’ used by its bot management system. It nevertheless offered a glimpse into what could happen when a major internet infrastructure company has issues like this. This kind of outage can impact many websites and many user experiences.

Laudermilch said that while this was not an attack per-se, the Cloudflare incident from late 2025 shows that even simple configuration errors can have massive impacts on global critical infrastructure. He said this is important to remember in the space technology sector because it can impact the resilience of the digital ground segment (product downlink and processing), a timing risk for control of spacecraft (contact windows, time-bound commands) or many other mission impacts if commercial services like Cloudflare are used. “This is a reminder to always separate mission-critical pathways from ‘the web path’ and to use a multi-provider strategy where it really counts. Also, it's always DNS,” Laudermilch added.

Salesforce Makes Headline News in August

In August last year, a high profile security incident involving Salesforce was reported that made a big noise in the cyber community. Google Threat Intelligence Group (GTIG) disclosed a widespread supply chain intrusion targeting Salesforce environments via compromised Salesloft Drift integrations. Salesforce itself said there had been a security incident involving the Drift app, published by Salesloft. It was a major incident within cyber circles.

The attack stemmed from the takeover of a Salesloft GitHub account, allowing threat actors to weaponize trusted third-party integrations at scale. More than 700 organizations were impacted within weeks, including prominent IT and cybersecurity firms. Francis said that this incident stands out for demonstrating how open-source repositories and SaaS ecosystems can be leveraged to compromise hundreds of downstream customers simultaneously, reinforcing supply chain risk as one of the most consequential threats to modern enterprise environments.

Gizinski added that this Salesloft Drift compromise serves as an important reminder of the risks associated with bringing onboard third party applications. He said, “Attackers took advantage of compromised tokens associated with Drift to broadly exploit Salesforce – a good reminder that data in a SaaS platform, even a secure one, is still at risk of compromise.”

Fernandez pointed out that as more customers look to SaaS and cloud for efficiency and better security, this breach reminded everyone that no matter whom is responsible, customer/vendor/service provider, if software is connected to the internet, threat actors will find it and eventually find a way to gain unauthorized access. He added, “The attackers in this scenario were able to socially engineer their way into gaining access into the Drift integration and ultimately any Salesforce customers' data where Drift was used.” VS