The increasing exposure of satellite systems to cyber threats requires new approaches to operational training and testing of countermeasures. Traditional assumptions about the security of space infrastructures-based on limited access and high technical barriers-are no longer valid in the face of accessible tools like Software Defined Radio (SDR) and cloud-based services such as Ground Station as a Service (GSaaS). In this paper, we present four realistic cyber attack scenarios specifically designed for integration into OpenSatRange (OSR), an open-source cyber range developed for training and experimentation in the satellite domain. The proposed scenarios cover key vulnerabilities in satellite ecosystems, including ground segment compromise, broadcast channel cryptographic flaws, inter-satellite link saturation (DDoS), and firmware-level hijacking via memory corruption. Each scenario is modeled with an emphasis on hands-on learning, narrative realism, and technical reproducibility. This work contributes to building a structured, operational framework for cybersecurity training in space systems, enabling simulation-based evaluation of both detection and response strategies in an environment that accurately reflects satellite communication constraints.
Historically, the satellite domain has been considered relatively secure compared to other areas
of telecommunications, partly because of a security-by-obscurity1 approach and partly because
of the high infrastructure costs required to carry out attacks. The required equipment, such
as ground stations, high-powered transceivers, and specialized radio systems, presented a
technological and economic barrier that made it impractical for non-state actors or otherwise
not significantly resourced to compromise. As an illustration, the developers of the Iridium
network claimed that the system was “too complex to attack” [
This perception, however, is no longer valid in the current context. The satellite
communications ecosystem has evolved rapidly, with markedly lowered barriers to entry both economically
and technically. Services such as Ground Station as a Service (GSaaS), ofered by cloud providers
such as Amazon Web Services and Microsoft Azure, allow any user with minimal skills to send
and receive data from satellites, making the ground infrastructure a potential entry point for
cyber attacks. In parallel, open source and open hardware projects such as SatNOGS [
In the face of a constantly evolving threat landscape, it is clear that the security of space
systems can no longer rely on passive measures or technological complexity alone. In fact,
today’s cyber threats surpass traditional defensive approaches based on isolation or obscurity of
technical specifications [
This is especially true in the satellite domain, where the coexistence of physical constraints
(latency, orbital mobility, limited visibility) and the complexity of on-board protocols impose
specialized skills and technologically advanced tools [
To fill this gap, the development of OpenSatRange (OSR) [
The security of satellite systems has historically been underestimated, mainly due to high
infrastructure costs and a security-by-obscurity approach. However, recent events show that
such systems are increasingly exposed to sophisticated and accessible threats. For example,
during the invasion of Ukraine in February 2022, a cyber attack compromised Viasat’s KA-SAT
satellite network, disrupting communication services for tens of thousands of users in Europe
and Ukraine [
Recent studies have highlighted the vulnerability of the firmware and software protocols used
aboard the satellites. In particular, the analysis conducted by Willbold et al. [
Specifically, Giuliari et al. [
The security of satellite location services is also increasingly the focus of attention. GPS
spoofing and meaconing attacks have been documented in real-world scenarios, as in the case
of the RQ-170 drone captured in Iran [
Training in cybersecurity has long moved beyond a generalist approach, evolving toward specialized programs for vertical domains. This trend is particularly evident in sectors with distinctive technical or operational characteristics, where threats take diferent forms than in traditional IT contexts.
In the industrial sector, for example, courses such as those ofered by CISA for ICS systems
[
In aerospace and defense, the DoD Cyber Crime Center (DC3) ofers a suite of advanced
courses on critical infrastructure protection and forensic investigation in operations [
These examples show how the declination of cyber training to diferent operational contexts is a must. In this landscape, the spatial domain-with physical constraints, proprietary protocols
Unlike traditional cyber ranges focused on IT or ICS infrastructure, satellite cyberrange platforms replicate the unique features of space operations, such as physical constraints, custom protocols, and the interaction between ground and orbital segments.
At the European level, the European Space Agency (ESA) has opened in Tallinn, Estonia, the
ifrst Space Cyber Range fully dedicated to simulating attack and defense scenarios against space
infrastructure. This initiative is designed to support exercises and resilience testing by public
and private entities in the European aerospace sector [
In the U.S., NASA has built specific tools for the simulation of small satellites such as CubeSats. In particular, the NOS3 (NASA Operational Simulator for Small Satellites) framework, developed for the Simulation-to-Flight-1 (STF-1) mission, allows the entire software life cycle of the satellite to be simulated in a virtual environment. This open-source tool is designed to support early verification of on-board functionality and pre-flight risk reduction, providing a valuable resource for pre-launch operational testing.
Also in academia, initiatives such as the Unified Cybersecurity Testing Lab for Satellite, Aerospace, Avionics, Maritime and Drone (SAAMD) have demonstrated the importance of multi-domain environments for security assessment in the space domain [19].
This landscape includes OpenSatRange (OSR), an open-source cyber range promoted by the
Italian Space Agency (ASI), developed to enable operational exercises, attack simulations, and
countermeasure testing in realistic satellite scenarios. OSR is distinguished by its modularity,
ability to integrate SDR segments, and focus on supporting LEO/GNSS and ground-segment
compromise scenarios [
In this section, we present four scenarios that can be implemented within a satellite-focused
cyber range such as the one described in [
Each scenario is described through the following three dimensions: Story: We outline the environment, the narrative behind the attack, and the attacker’s objective. This serves as the script guiding the actions that the attacker must perform to successfully complete the training.
Network: Given the satellite context, special attention is devoted to describing the network topology, including both terrestrial and space segments.
Relevance: For each scenario, we highlight its relevance by drawing parallels with real-world cyber attacks that have occurred in the satellite sector.
This scenario describes an hypotetical attack that involves the ground segment of a satellite environment.
Story: A big company is hosting an infrastructure of Ground Station as a Service (GaaS) which is accessible through a web site always hosted by the company. Due to an intricate security flaw, an external attacker is able to gain partial access to the machine hosting the service. Exploiting his privileges, he can dump and patch the satellite firmware, that is later uploaded and installed on a satellite through a periodical update procedure. In this way the ground station is used as an attack vector to reach satellites in orbit.
Network: The network infrastructure is summarized in figure 1 The space segment consists of a LEO constellation with a (suficient) number of satellites in such a way that at least one of them is in the ground station visibility range.
Relevance: Numerous cyber attacks have targeted user devices or ground segments in satellite
communication systems. One of the most recent and widely known incidents is the attack
on Viasat’s KA-SAT network in February 2022 [
This scenario focuses on the role of cryptography in securing satellite communications. Story: This scenario aims to exploit a misconfiguration in a custom satellite key exchange protocol to demonstrate how cryptographic vulnerabilities can be leveraged to compromise the confidentiality of message exchanges. The attacker’s objective is to decrypt communications transmitted over a satellite broadcast channel, revealing sensitive data that was assumed to be securely encrypted. A central satellite periodically sends a message containing an encrypted symmetric key in a broadcast channel. The message is formatted as follows: • The RSA public key (in PEM format) used to cipher the symmetric key; • The encrypted symmetric key.
Each node that receives the message checks the public key to see if it matches its private key, and if so, decrypts the symmetric key that will be used to encrypt the rest of the communication. An external attacker is snifing the trafic over the broadcast channel and due to incorrect configuration of pre-distributed RSA keys, he can perform an RSA common factor attack to decrypt the message and thus obtain the symmetric encryption key.
Network: The network infrastructure, illustrated in Figure 2, consists of a GEO satellite that communicates over a broadcast channel with multiple user terminals.
Relevance: Crypto attacks are also a real threat in the satellite environment as shown real-time inversion attacks on the GMR-2 cipher used in satellite phones were reported [21].
A Distributed Denial of Service (DDos) is a cyber attack, widely known in the
telecommunications sector, which uses a huge amount of dummy data trafic to saturate network links,
exploiting the limited bandwidth capacity. Typically, botnets are used to generate the
aforementioned trafic, that is, an attempt is made to infect a set of machines within a local network (for
example a corporate network) that has an access point to the target network, taking control
of them and transforming them into a set of bots at the service of an external user, through
software that can be traced back to the Command & Control (C2) family [22].
Story: This scenario tried to reproduce the ICARUS attack [
Relevance: Despite being largely known in standard telecommunications systems, DDOS
attacks have recently studied also in a satellite system (ICARUS Attack [
This attack targets a vulnerable implementation of a library used to parse telecommands. Story: This scenario aims to show how simple it is to break a satellite system with an obscured simple vulnerability. The provided network topology is shown in figure 4. The idea behind the attack is the following: a satellite is piloted by firmware that makes use of vulnerable library functions like strcpy that can be exploited by an attacker to perform a bufer overflow and rewrite part of the satellite’s memory. The goal is to corrupt the satellite’s memory, causing it to operate in a manner controlled by the attacker.
In this scenario, we have a weather forecast satellite, which receives input requests on the collected data, and an external attacker that carries out the attack by exploiting the abovementioned vulnerability. To make everything more realistic, communication with the satellite uses the CCSDS format [23].
Network: Although we only need one satellite to set up the attack, the provided topology allows for a suficient number of satellites to allow, with the parameters provided, that the intervals of non-visibility (in which the attacker does not see any satellites) are very short, so as to allow an efective exercise.
Relevance: The concept of security through obscurity is prevalent in satellite systems, as the
ifrmware used is often proprietary and specifically developed for custom hardware architectures.
Although this is true, the Space Odyssey study [
This section ofers a more in-depth technical perspective on the training scenarios outlined in Section 3. All software implementation details are designed with the interactive nature of the cyber range in mind. This means that each successfully exploited vulnerability must yield a flag (namely unique code) that is provided to the user as proof of exploitation.
4.1.1. Scenario 1 To emulate this attack, we need to: if ((new_socket = accept(server_fd, (struct sockaddr *)&address, &addr_len)) < 0) { close(server_fd); exit(EXIT_FAILURE);
Listing 1: C code snippet example for hackable firmware 1. Develop a vulnerable server hosting a Ground Station as a Service web page. In particular, we want to hide a git repository used for platform deployment and maintenance behind a hidden virtual host; 2. Set up the git repository with explanatory logs and a credentials file removed with the last commit; 3. Set up a server on the Ground Station machine with an automated firmware update routine and an easy-to-crack firmware executable.
To emulate a firmware tampering in an emulated environment, while still delivering a valid lfag to the user, we follow this approach: the provided firmware includes a "secret" code segment, that is, a theoretically unreachable portion of code, which becomes executable through a firmware patch (e.g., modifying an immediate value in a loop condition). This hidden code is responsible for triggering the flag. Consequently, the satellite environment can be kept simple, requiring only a flag.txt file and a lightweight server that reads the input bytes, builds an executable, and runs it. As an illustrative example, refer to the code snippet shown in 1, which contains a hidden code segment accessible only under a specific condition. This condition can be easily bypassed through binary tampering, allowing the execution flow to be redirected to unauthorized code.
Attacker walkthrough: From the attacker’s perspective, the intended approach for this exercise is the following. Using enumeration tools like Gobuster, the attacker first identifies the presence of the virtual host, then iterates the process to locate the git repository. Once found, the attacker can clone the repository to their machine using tools like GitDumper. By leveraging Git’s features and analyzing commit messages in the log, they can locate the file containing the credentials and restore it. With the credentials, the attacker can gain SSH access to the machine. After enumerating the files and active cron jobs, they can identify the firmware to patch. Using
Listing 2: A possible way to implement a gateway for MIME type inspection reverse engineering tools like Ghidra and binary patching tools like Okteta, they can apply the necessary changes to compromise the satellite. 4.1.2. Scenario 2 The goal of this Scenario is to violate the confidentiality of satellite transmissions by obtaining symmetric encryption keys by intercepting key-distribution messages sent from a satellite acting as a master-key server.
To implement this, we must pre-distribute the private keys across the various nodes, ensuring that two nodes share a common prime factor in the RSA key, denoted as N. This setup allows the attacker to intercept network trafic using tools like Wireshark and launch a common factor attack, leveraging the public key present in the messages as outlined in 3.2.
Attacker walkthrough: Using snifing tools, the attacker must gather a large set of public keysymmetric key pairs. Then, a cryptographic attack can be performed, for example, leveraging the capabilities of the Python library PyCryptoDome. If successful, the private keys obtained can be used to decrypt the corresponding symmetric keys, which, for the purpose of the exercise, will contain the flag. 4.1.3. Scenario 3 In this scenario we want to emulate the well-known ICARUS attack. To do that we have to: 1. Model a corporate network hosting a web service with the capability to upload images; 2. Put a firewall and a gateway to protect the network. The firewall checks TCP connection requests, denying incoming connections on port 4242, which is used by machines on the network to host a custom remote shell service. This can be implemented more simply by leveraging iptables rules such as iptables -A INPUT -p tcp –dport 4242 ! -s 192.168.1.0/24 -j DROP, assuming that 192.168.1.0/24 is the network mask of the LAN. The gateway on the other hand performs checks on post requests to the website, verifying that the MIME type actually corresponds to an image, applying checks like the one reported in listing 2; 3. Implement a custom remote shell service that includes a basic and commonly encountered vulnerability—such as an SQL injection in the access control system or a similar low-level lfaw. The specific nature of the vulnerability is left to the discretion of the reader, as it does not influence the overall success of the attack scenario.
The success of the attack hinges on accurately modeling an intersatellite link with suficiently low network bandwidth.
Attacker walkthrough: The attacker’s first step is to detect the presence of the web service using Nmap. The firewall will mask port 4242 as filtered. Upon accessing the web service, the attacker discovers the file upload feature, which can be exploited by uploading a PHP file and subsequently viewing it via the "view image" button. After some testing, the attacker identifies the presence of a gateway and bypasses it by using a Burp proxy server to intercept requests and modify the MIME type, circumventing the gateway’s soft checks. At this point, the attacker can set up a local file inclusion (LFI) attack, causing the web server to execute the uploaded PHP page, which can contain code for a remote shell. Once inside the network, the attacker exploits the vulnerable custom service to move between machines and install the botnet. To create the botnet, the attacker develops both a server for remote control and a client that sends packets when triggered via a designated link. To make the attack feasible, the user will be provided with information about the vulnerable satellite link using the facilities provided by the cyber range. 4.1.4. Scenario 4 In this scenario we chose to implement the vulnerable server in C to gain greater control over memory layout and object placement within the address space. This also required developing a custom C library to handle the CCSDS packet protocol. The core idea is to define a packet data structure without any padding between its members, making the exploit more straightforward to execute. By leveraging a vulnerable function such as strcpy, an attacker can overwrite a structure member located immediately after the bufer used to store the message. A software routine then inspects this overwritten field and, if it has been correctly manipulated, the program ceases normal operation and begins responding with the flag.
Attacker walkthrough: The exercise includes the executable file that implements the vulnerable server-side service. The attacker must use reverse engineering tools like Ghidra to analyze the binary and identify the described vulnerability. Once understood, the attacker can self-host the service to perform tests and determine the appropriate payload to exploit the vulnerability. To carry out the attack, the attacker needs to implement a client that, using the provided C library for generating CCSDS packets, sends the correct payload to the server, triggering a memory corruption that ultimately results in the flag being distributed, as previously explained.
The increasing exposure of satellite systems to cyber threats is a priority challenge for space infrastructure security, both civil and military. In a context where accessibility to space is expanding through the use of COTS technologies, cloud-based services such as GSaaS, and tools such as SDRs, the space domain can no longer be considered an inaccessible environment.
This paper presents four didactic attack scenarios designed to be integrated within a cyber range such as OpenSatRange. The scenarios are inspired by real cases documented in the literature and incident reports, and cover a wide range of attack vectors: firmware compromise, cryptographic exploits, inter-satellite DDoS, and advanced spoofing on broadcast services. The goal is to provide operational and narrative tools that allow operators to practice in controlled but reality-adherent environments.
Defining these scenarios is a first step toward building a framework for practical training and evaluation of countermeasures in the space environment. The narrative-technical approach adopted allows enhancing both the educational aspect and reproducibility in simulated environments. In addition, their future integration into OSR will allow not only training operators, but also testing defensive solutions and monitoring tools under realistic conditions.
During the preparation of this work, the author(s) used X-GPT-4 in order to: Grammar and spelling check. After using these tool, the authors reviewed and edited the content as needed and take full responsibility for the publication’s content.
This research is supported by the project “OpenSatRange: Un cyber range aperto per la formazione in cyber security di operatori di sistemi e reti satellitari” supervised and financed by the Italian Space Agency (Agenzia Spaziale Italiana, ASI) in the framework of the Research Day “Giornate della Ricerca Spaziale” initiative through the contract no. ASI-2023-2-U.0, and by the CYBER4SPACE project, funded by the 2024 Scientific Research Grant of the University of Rome Tor Vergata. accessed April 11, 2025. [19] A. Costin, H. Turtiainen, S. Khandker, T. Hämäläinen, Towards a unified cybersecurity testing lab for satellite, aerospace, avionics, maritime, drone (saamd) technologies and communications, arXiv preprint arXiv:2302.08359 (2023). URL: https://arxiv.org/abs/2302. 08359. [20] V. Petkauskas, Russian satellite telecom dozor hit by hackers, 2023. URL: https://cybernews.
com/cyber-war/dozor-russian-satellite-telecom-hacked/, accessed: 2025-04-11. [21] J. Hu, R. Li, C. Tang, A real-time inversion attack on the gmr-2 cipher used in the satellite phones, Science China Information Sciences 61 (2018) 1–18. [22] H. R. Zeidanloo, A. A. Manaf, Botnet command and control mechanisms, in: 2009 Second International Conference on Computer and Electrical Engineering, volume 1, IEEE, 2009, pp. 564–568. [23] The Consultative Committee for Space Data Systems, CCSDS publications manual, 2014.