On 24 February 2022, at the exact moment Russian forces crossed into Ukraine, a cyberattack took down tens of thousands of Viasat KA-SAT satellite modems across Europe. Ukrainian military communications were disrupted. Wind turbine operator Enercon lost remote monitoring of 5,800 turbines in Germany. This was the most significant space-related cyberattack in history, and it was a textbook ground segment attack.
This article deconstructs the attack step-by-step using the SPARTA framework, demonstrating both how the attack was executed and how it could have been prevented.
KA-SAT is a geostationary communications satellite operated by Viasat (acquired from Eutelsat). It provides broadband internet across Europe, including to Ukrainian military units. The ground segment includes a network of customer premises modems and a centralised management network. It was this management network that became the attack vector.
In the weeks before the invasion, adversaries mapped the Viasat network architecture, identified the management VPN, and gathered credentials. SPARTA techniques REC-0001 (Gather Spacecraft/Ground Design Information) and REC-0002 (Gather Ground System Information) describe this phase precisely.
Attackers exploited a misconfigured VPN appliance to gain access to the satellite management network. This was a ground segment attack — no spacecraft were directly compromised. A single misconfigured VPN provided the entry point to a network controlling tens of thousands of satellite modems across Europe.
AcidRain wiper malware was deployed to the modems via the management network, overwriting firmware and rendering devices permanently inoperable. SentinelOne published the first technical analysis of AcidRain in March 2022, confirming it as a purpose-built destructive wiper targeting embedded devices.
The wiper destroyed forensic evidence as it executed, eliminating artefacts that would have allowed faster attribution and recovery.
Approximately 40,000 modems across Europe were permanently destroyed. Ukrainian military communications were disrupted at a critical moment. The attack was timed to coincide precisely with the Russian military offensive for maximum effect.
The Viasat attack maps cleanly across the SPARTA framework:
The SPARTA countermeasures framework maps specific defensive controls to each attack phase. Applying these controls to the Viasat incident reveals that the attack was preventable.
VPN hardening and multi-factor authentication would have addressed IA-0004. The misconfigured VPN appliance was the entry point; MFA and a hardened configuration would have significantly raised the barrier to initial access. Network segmentation between the management network and customer modems would have limited lateral movement after the initial compromise, potentially reducing the impact from 40,000 devices to a much smaller subset. Modem firmware integrity verification would have detected the deployment of EX-0004, a signed firmware update requirement, which means only authorised updates execute. Anomaly detection on the management network would have flagged the unusual pattern of mass modem access before the wiper executed.
The Viasat attack delivers five lessons that every space mission operator should internalise.
First: The spacecraft itself was never touched. The ground segment was the vulnerability. In space mission security, the ground segment is consistently the most accessible and most exploited segment.
Second: A single misconfigured VPN appliance enabled the destruction of 40,000 devices across an entire continent. The blast radius of a single ground segment misconfiguration can be catastrophic.
Third: Speed matters. The attack was timed to coincide with the invasion for maximum operational effect. Response time is measured in hours, not days.
Fourth: Commercial satellite operators are legitimate military targets in modern conflict. If your mission has national security relevance, your ground segment is a target.
Fifth: Every space mission operator should conduct a SPARTA-based threat assessment of their ground segment before an adversary does it for them.
The Viasat attack is not a historical curiosity; it is a template. The SPARTA framework provides the vocabulary and methodology to understand this class of attack, assess your own mission's exposure, and implement the controls that would have prevented it. The adversary has studied the Viasat attack. The question is whether you have too.