A Global Satellite Security Crisis

Author

Taylor Hawes
October 15, 2025

From the Editor’s Desk

This week’s headlines remind us: the weakest link is often not malware or phishing—but forgotten infrastructure. When I saw that satellite links carrying military, telecom, and law enforcement data were sent unencrypted, it begged the question: what else are we casually trusting to be “secure by default”?

🔎 Deep Brief

A Global Satellite Security Crisis

Researchers from UC San Diego and the University of Maryland have uncovered a startling vulnerability: large volumes of satellite communications—across military, law enforcement, telecom, and corporate domains—are being transmitted unencrypted, making them susceptible to interception. 

Using off-the-shelf hardware (about $800 worth), the team monitored geostationary satellites for months. They intercepted private calls, texts, in-flight Wi-Fi traffic, infrastructure control signals, and even military mission details. 

Some organizations responded quickly by retrofitting encryption. But many—especially in infrastructure and critical sectors—lag behind.

Takeaway

This breach exposes a blind spot: terrestrial cybersecurity measures matter little if the space-based links are left open. Operators must prioritize end-to-end encryption, adopt physical-layer security methods, and demand better standards for satellite comms.

🧠 Strategy in Action

AI, Breaches & Upskilling the Cyber Workforce

Many organizations now see security roles not as a cost center but as critical enablers. In response, some firms are investing in internal reskilling programs—moving promising engineers or analysts into security tracks—and partnering with specialized training platforms. Others are embedding AI tools into the workflow and offering “security augmentation” roles, where less-experienced staff work alongside AI assistants or threat-intel systems.

Takeaways: 

The outcome: better retention, improved threat detection, and more resilience in incident response. But this approach also requires careful change management and mentorship. The lesson: when threats escalate (especially those powered by AI), scaling human capability—through training, tool support, and smarter staffing—can be as effective as buying new defenses.

🕵️ Threat Actor Spotlight

Fancy Bear (APT28)

Fancy Bear, also known as APT28 or Sofacy, is a threat actor long associated with Russian state interests and intelligence operations.

Key traits

  • Uses spear phishing and credential harvesting, often via spoofed domains and phishing sites. 

  • Deploys custom implants such as XAgent, X-Tunnel, Foozer, DownRange, and more, across both desktop and mobile platforms. 

  • Known for multi-front attacks—targeting governments, defense contractors, media, and dissidents. 

  • In recent campaigns, Fancy Bear is evolving: a new family dubbed “Operation Phantom Net Voxel” included SlimAgent spyware, enabling keylogging, screenshots, and mouse-tracking. 

  • To evade detection, they may clear Windows event logs (using wevtutil cl) and obscure forensic traces.

Defensive advice 

For defenders, vigilance is key: monitor for domain spoofing, enforce least privilege and MFA, watch for anomalous outbound traffic, and assume that any phishing email could be an entry vector

🛠️ Tool Check

Network Intrusion Detection Tools

This comparison focuses on Network Intrusion Detection Systems (NIDS)—software and hardware solutions that monitor traffic, flag suspicious behavior, and support faster response to attacks. It examines both open-source and commercial tools used in enterprise, ISP, and SOC environments. It highlights their features, ease of use, and suitability for different organizational sizes.

  • ManageEngine EventLog Analyzer - A powerful log file analyzer that detects intrusions and supports full log management. 

  • ManageEngine Log360 - A unified SIEM platform that uses User and Entity Behavior Analytics (UEBA) to identify abnormal activity. 

  • ESET Protect - An integrated threat detection and response suite combining on-device antivirus with cloud-based coordination for advanced threat hunting. 

  • Snort - A widely respected open-source IDS from Cisco that performs both automated and manual packet-based threat detection. 

  • SolarWinds Security Event Manager (SEM) - A full-featured SIEM and intrusion prevention solution that correlates logs across Windows, Unix, Linux, and macOS systems.

🗣️ Community Signal

This is ultimately why I get very frustrated that companies will pay ransom or not take the time to hire a company ahead of time. It’s much easier and cheaper to be preventative and to harden your system and be ready for attacks. I mean, that is the reality of today, and anybody who thinks otherwise is, they’ve got their head in the sand. Matthew Holland, Founder and CEO of Field Effect Security.

📚 Don’t Miss This

Advertise with Comparitech
Does your business offer services or products in cybersecurity? Get your product seen by IT leaders and professionals.

Advertise with us →

Until Friday’s edition - Let’s keep that zero-day count at zero!