On February 28, the United States and Israel launched Operation Epic Fury, carrying out airstrikes against Iran alongside cyber and electronic operations. This unfolded amid renewed tensions in negotiations over the Iranian nuclear program and intense protests inside Iran. Iran responded with missile and drone strikes targeting Israel and Gulf countries.
Three months later, as the tempo of kinetic activity slows down, it’s time to reflect on how the space sector was targeted during this still ongoing conflict. Through open-source mapping, at least 25 cyber operations against the space sector were identified in the context of the conflict between February 28 and April 30. This is likely an undercount, the visible tip of a much bigger iceberg.
To understand what makes this episode distinct, it helps to look back. During the Iran-Israel war in June 2025, more than 67 cyber operations against the space sector occurred with 25 different threat actors involved. Back then, the start of hostilities triggered an immediate surge in hacktivist activity, with waves of distributed denial-of-service (DDoS), website defacement, and data leaks affecting the space sector, as well as influence operations to augment impact.
The current conflict follows a different trajectory. Several insights can be gleaned from cyberattacks against the space sector so-far. First, in 2026, cyber activity has been intense but the pattern seems to have shifted. The rise to extremes was more progressive. Visible hacktivist and cybercriminal activity was less active in the first days of the conflict, although many DDoS were launched against the space sector.
Second, fewer attacks do not mean weaker cyber activity. And so far, it seems there were less attacks but more sophisticated ones, including retaliations from state and state-affiliated actors against space entities. Third, there is also a geographic shift. Unlike last year, a higher number of attacks were recorded against space entities in the Gulf, particularly the UAE, Saudi Arabia, and Bahrain.
State Operations in the Spotlight
Multiple operations targeting the space sector can be attributed to the Iranian government. While Israeli cyber activities may also have targeted Iranian space-related entities, there is no publicly available evidence to substantiate this. If such operations did occur, they were likely conducted by Israeli state actors rather than hacktivist groups, reinforcing the predominance of state actors in this conflict.
On March 5, a Persian Telegram channel called “Cyberban News,” which presents itself as Iran’s first cyber news agency, claimed that the Iranian hacker group “Mobir” had targeted the Emirati companies Space42, Bayanat, Thuraya, and Yahsat. They claimed to have disrupted their infrastructure, intercepted communications, retrieved data about satellites’ architectures and deleted over 500 TB from the companies’ systems. The rationale for the attack was that these companies cooperate with Israel. To support its claim, it leaked photos of contracts between Yahsat and Israeli company Gilat as well as photos of space systems’ architectures.
While this claim initially seemed overinflated and illegitimate, two days later, Cyberban News released a screen recording video of the IT environment of Space42, showing Mobir actively deleting the company’s data, which offers some evidence.
According to cybersecurity company FalconFeeds, the hacker group Mobir and the Telegram channel CyberBan News Agency are actually linked to Iran’s Islamic Revolutionary Guard Corps (IRGC). Mobir is conducting operations while CyberBan News Agency is publicizing them to maximize the impact. It underlines the growing nexus between cyber and influence operations in attacks against the space sector.
Mobir and CyberBan News Agency did not stop there. On April 4, Mobir claimed another attack against the UAE Space Agency. It claimed to have defaced numerous websites related to the space agency’s domain name, access the cloud infrastructure of the agency, its databases and email servers. It also claimed to have hacked the CCTV cameras in the agency’s offices.
On April 6, Mobir claimed another attack against Saudi’s Arabsat. Mobir claimed to have disrupted the satellite network, without providing additional information. It is still unclear whether these operations really took place. A consistent behavior of CyberBan News Agency is to threaten these space actors to stop cooperating with Israel and its allies.
Another threat actor involved in the conflict is Handala, which is linked to Iran’s Ministry of Intelligence and Security. On March 26, it claimed to have targeted Lockheed Martin. Handala claimed to have directly sent text messages to Israel-based employees to warn them that their personal data was breached and threaten them to leave Israel. As part of another operation, the same group leaked the names and photos of what it claims to be staff of Israel’s Military Intelligence Directorate’s Unit 9900, which is in charge of geospatial intelligence. Physical and cyber threats against space personnel have been rising over the past year and each crisis now includes staff targeting and doxxing, thereby mixing cyber operations and psychological impact.
Moreover, the cybersecurity company CyberShelter revealed that Peach Sandstorm, also known as APT33, which is linked to Iran’s IRGC, launched a campaign of phishing emails related to the conference Abu Dhabi Space Debate to deploy a malware and retrieve data from targeted aerospace companies. This annual Emirati conference takes place each year and brings in high-profile guests from around the world, which may easily trick space personnel. To this day, it is unclear how successful and widespread this phishing campaign was.
Overall, satellites in orbit do not seem to have been impacted by any of the cyber activity currently happening in the Israel-U.S.-Iran war. The ground segment and the IT environment of space entities were always the entry points of identified attacks. Nonetheless, former White House Chief Information Officer Theresa Payton warned that the U.S. must be prepared in case Iran attacks telecommunications satellites.
Hacktivist and Cybercriminal Activity
In terms of visible hacktivist activity, numerous pro-Iranian and pro-Palestinian as well as a few pro-Russian groups took part in DDoS operations. They targeted Israeli, Gulf, and American space entities, including the Bahrain Space Agency, NASA, the Saudi National Geospatial Platform, and Israeli companies such as Elbit Systems, Rafael, IAI, and Epicos.
Numerous claims of data leaks have been posted on cyber-criminal forums, although far less than during the Israel-Iran war of 2025. This might be partly due to the active operations of law enforcement to take down the most prominent forums in recent months. Not only does it make it more difficult for cyber criminals to monetize their operations but it makes tracking threat actor activity more difficult as well for researchers.
Furthermore, hacktivist activity increasingly targets entities that are not part of the space sector but rely on satellites for their activity. For instance, in March, the pro-Iranian and pro-Russian hacktivist group Cardinal claimed to have targeted the Israeli Emergency Response Authority and to have retrieve information about its use of satellite communications. On its own, this operation might not look very critical but it may constitute a first step in the reconnaissance phase of a subsequent attack against the space systems that the Israeli Emergency Response Authority relies on.
Hacktivist activity may not constitute the most sophisticated operations but they provide a signal regarding the interest of threat actors in targeting the space sector and shed light on the perception, whether accurate or not, they have of space entities.
Kinetic Remains the Most Effective Option to Attack Space Systems
While cyberattacks against space systems and the space sector have been prominent in the conflict, hacking a satellite remains a complex and tedious endeavor. Eventually, kinetic strikes remain the most effective threat vector to disrupt space services.
Indeed, Israel targeted the IRGC Aerospace Force Headquarters. While many experts said that the strike only had a symbolic impact considering the limited military space capabilities of Iran, others assessed that it would impact the ballistic missile and command and control capabilities. It remains unclear how the strike actually impacted military operations.
The Israel Defense Forces (IDF) also destroyed the Iranian Space Research Centre in Tehran. The IDF argued that the center was involved in developing anti-satellite capabilities such as the Charman-1 satellite, whose mission is to demonstration orbital maneuver.
On March 9, SES ground stations in Israel were destroyed by a missile strike from Hezbollah. The rationale for the attack was that the site was used by the IDF. This teleport serves multiple customers, the majority of which, if not all, are actually civilian. It highlights the risks of operating ground stations in countries involved in armed conflict. However, incidents like this should not trigger an overreaction, such as withdrawing infrastructure from entire regions.
Space companies may want to delegate risk to avoid operational challenges, and this may push some operators toward ground-station-as-a-service (GaaS) models, a cloud-based, subscription-driven model that allows satellite operators to rent a shared global network of ground stations on a pay-per-use basis, eliminating the need to build and maintain their own ground infrastructure.. While GaaS can reduce risk burdens, it ultimately replaces one risk with another: dependence on a provider whose GaaS access could be restricted due to political disagreements with the company or its home government.
Looking Ahead
This conflict underscores a growing reality: the space sector is no longer peripheral, it is targeted in nearly every crisis. The real challenge lies in making sense of an increasingly complex threat landscape and anticipating how adversaries operate within it.
Weak signals, claims of cyberattacks against satellites and space companies, conversations of threat actors about space companies as well as threats against space personnel are becoming commonplace. Making the difference between serious threats and noise is difficult and requires better cyber threat intelligence.
In the future, the difference between space companies that are resilient and those that are not will increasingly be based on the capacity to access, leverage, contextualize and analyze cyber threat intelligence data to update their security posture, threat models and prioritize their defense.
Clémence Poirier is a Senior Cyberdefense Researcher at the Center for Security Studies (CSS) at ETH Zurich, Switzerland. She is the author of the report, “Hacking the Cosmos: Cyber Operations Against the Space Sector.”
