Pierluigi Paganini October 14, 2025

SpyChain shows how unverified COTS hardware in small satellites can enable persistent, multi-component supply chain attacks using NASA’s NOS3 simulator.

The rise of small satellites has transformed scientific, commercial, and defense operations. Using commercial off-the-shelf (COTS) parts makes them cheaper and faster to build but also introduces new, poorly understood security risks unique to space systems.

The paper “SpyChain: Multi-Vector Supply Chain Attacks on Small Satellite Systems” introduces SpyChain, a framework for studying supply chain threats in small satellite systems. Unlike prior work focused on direct software attacks, SpyChain examines risks from third-party COTS hardware that often lacks strong verification but has deep system access. Using NASA’s NOS3 simulator, it demonstrates the first practical, persistent, multi-component supply chain attack on small satellites.

SpyChain tests five levels of attacks, from simple time-triggered components to complex, coordinated malware using multiple modules. In advanced cases, infected parts communicate through normal system messages or hidden file channels to launch attacks at key mission moments, such as after reaching orbit. The study shows these threats can remain stealth during testing and launch, activating only when certain conditions are met, making them very hard to spot before or after deployment.

Below are the attack scenarios implemented by the researchers:

• Scenario 1 – Single Component, Time Trigger
  A single malicious app waits for a countdown to finish after system boot, then secretly sends mission data to an attacker-controlled ground station.
• Scenario 2 – Single Component, GNSS Trigger
  One app monitors satellite GPS data and starts transmitting stolen telemetry once it detects the satellite has reached orbit.
• Scenario 3 – Two Components, Time Trigger with Bus Messaging
  Two apps work together: one triggers after a timer ends and sends a message via the software bus to another, which then exfiltrates mission data.
• Scenario 4 – Two Components, GNSS Trigger with Bus Messaging
  A trigger app watches GNSS data and, once in orbit, signals the attack app through the software bus to begin sending stolen data.
• Scenario 5 – Two Components, GNSS Trigger with File Coordination
  The trigger app writes an activation command to a hidden system file when orbit is detected. The attack app reads it and starts transmitting data to the attacker.

SpyChain demonstrates “stealth by design”: malicious COTS components use only legitimate APIs, native system calls, and real telemetry subscriptions to blend into normal satellite operations while avoiding logs and runtime audits. A compromised module can quietly exfiltrate telemetry, disrupt software or communications, or inject deceptive commands without alerting flight operators.

The adversary model assumes a supply-chain insider or nation-state actor who embeds malware before launch and knows the flight-software interfaces (e.g., cFS, POSIX-like OS). With modest ground resources, access to a ground station or inexpensive software-defined radios, attackers can receive stolen data and control payloads. The researchers demonstate the attackers can mount persistent, multi-phase campaigns that trigger only under mission-relevant conditions (e.g., orbital insertion), bypassing common architectural assumptions about module trust and component isolation and making detection extremely difficult both pre-launch and in orbit.

The paper details SpyChain’s full attack lifecycle: supply-chain compromise, dormancy, telemetry- or event-triggered activation, covert exfiltration, and flexible actions from surveillance to sabotage. Coordinated multi-module malware is a new TTP in the SPARTA cyber kill chain. The study exposes major small sat vulnerabilities weak runtime monitoring, no software bus authentication, poor access controls, and limited logging, highlighting the urgent risk of covert, persistent compromise amid growing space ransomware, espionage, and supply-chain threats.

The authors conclude with a thoughtful discussion of practical, actionable mitigations that could be employed in future smallsat missions. These include:

• Implementing runtime monitoring of system calls and message rates to identify abnormal behaviors from plug-and-play components.
• Enforcing strict authentication and access control on inter-component communication (software bus) to prevent unauthorized access.
• Adopting syscall restriction frameworks (e.g., seccomp) to close down covert channels.
• Building transparency into the supply chain (“zero-trust” module design), allowing integrators to independently verify firmware and manifest-provided permissions.
• Bolstering operator training to recognize unique supply-chain threats, and establishing well-defined behavioral baselines for anomaly detection.
• Advocating for regular simulated incident response exercises to test these defenses in representative mission scenarios.

The research, done with NASA’s NOS3 simulation team, improved the testbed for cybersecurity analysis and countermeasure testing. It shows that unchecked supply chain vulnerabilities in small satellites could enable spying, disruption, or cascading effects on critical sectors like telecom, defense, and navigation. The experiments were ethically conducted on simulators, with safeguards to prevent exploit propagation, and findings were shared with NASA and the smallsat security community. The study advocates a shift from “trust by design” to default verification, authentication, and monitoring. Without systemic changes, the modularity and cost-efficiency driving the small satellite boom could ironically become its greatest vulnerability, highlighting urgent need for robust security practices across the sector.

In summary, “SpyChain” successfully demonstrates the practicality and danger of long-term, stealthy, coordinated supply-chain compromise in the space sector. It provides the first comprehensive, scenario-driven taxonomy for understanding, detecting, and mitigating these threats—raising awareness among researchers, industry, operators, and policymakers, and laying the groundwork for a new era of resilient space cybersecurity.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, small satellites)