GhostSec’s ground war on Israeli satellites

Last updated: 25 June 2025
Ghostsec, Israel flag, and satellites
By Cybernews

Following the recent escalation between Israel and Iran, the pro-Palestinian hacktivist group GhostSec has reportedly shifted its focus toward space-based assets. It is particularly interested in Israeli satellites.

This is how they protest.

ADVERTISEMENT

GhostSec has long distinguished itself from the hacktivist landscape by carrying out far more sophisticated tactics and targeted operations than its peers. Currently, the group is focused on targeting VSAT (Very Small Aperture Terminal) systems, which are ground-based terminals used for satellite communications.

These are commonly associated with remote military, government, and other critical industrial control operations. Though the group often claims these operations as attacks on actual "satellites" floating around in space, its actual targets are satellite terminals and exposed network infrastructure on the ground that communicate with orbiting satellites.

It’s a means to manipulate space infrastructure.

Contrary to imagination, hacktivists don’t use specialized RF gear like RTL-SDRs, satellite dishes, or antennas to locate, target, or compromise satellite infrastructure. That’s because VSAT terminals have public-facing IP addresses, which means they’re easily discoverable through IP range scans and with Shodan.

While Shodan remains a top resource among hackers of every shade, VSAT endpoints can also be discovered using OSINT methods to correlate ownership of an ASN/IP with satellite ISPs. They can also be exposed using various SNMP enumeration methods, such as the following Metasploit module: auxiliary/scanner/snmp/snmp_enum.

AnonScrewdriver
This example is a courtesy of ‘AnonScrewDriver’, the screenshot depicts Metasploit being used to enumerate an SNMP device, Gilat Satellite Networks VSAT.

VSATs, SNMP, Shodan and hacktivism

SNMP stands for Simple Network Management Protocol, which works over port 161. Tons of VSAT terminals expose SNMP interfaces over the internet. Since searching for devices is pretty simple using Shodan, users will be able to see that SNMP is actually a common protocol used in telecommunications, emergency communications, and remote diplomatic outposts.

ADVERTISEMENT

Think about it. An SNMP write command that changes satellite modem settings could throw an entire region offline, especially in warzones.

VSATs with SNMP interfaces often leak identifying information about the satellites:

  • The type of device
  • The vendor/manufacturer (e.g., Gilat, iDirect, HughesNet, etc.)
  • Interface names (e.g., satEnd0, satUplink, rf0ut, etc.)
  • Network topology, including satellite links, modems, routing behavior, etc.
  • Physical location
  • Uplink/downlink statistics
  • GPS coordinates (if set)
GhostSec telegram channel

Sebastian Dante Alexader, the leader of GhostSec, had this to say about the group’s recent targets:

“The newest attacks towards satellites weren't like our previous ones where we hacked GNSS receivers for these satellites. The VSATS we hit this time are confirmed to be used by the military. The screenshot of the attack shows a step towards the attack we did. We were able to render the two VSATS we hit to be useless until obviously resolved, which took them over 24 hours to do so.”

He explained the group rendered the satellite useless, so that any information or continued usage the Israeli military had for the satellite could not be acquired during its downtime.

In remote deployments, VSAT terminals often depend on SNMP to handle routine monitoring and device management. This lightweight protocol allows service providers to keep tabs on essential metrics like uptime, bandwidth usage, and satellite link performance. It also gives operators the ability to reboot equipment or adjust configurations from afar, a necessity when physical access isn’t practical.

Furthermore, many VSATs ship with default SNMP community strings, like public (read) and private (write), and are very seldom changed, which causes a potential threat vector simply by leaving the default SNMP community strings in place on a VSAT terminal, because with public, which comes with read privileges, anyone can extract information from it, including traffic logs.

ADVERTISEMENT

Leaving private community strings unchanged, an attacker can write data to the VSAT terminal, which is where the real havoc begins. With access to the private community string, they can reboot the modem, change routing tables, reconfigure uplink parameters, or even brick or disable the VSAT completely.

This is exactly what happened during a confirmed cyberattack at the start of the Russia-Ukraine war, when on February 24th, 2022, the same day Russia invaded Ukraine, Ukraine’s Viasat’s KA-SAT satellite network was compromised. The attack rendered tens of thousands of ground terminals inoperable, disrupted Ukrainian military communications, and caused collateral outages affecting wind farms in Germany and civilian ISPs across Central Europe.

GhostSec’s goal

The group’s identity is inherently connected with targeting high-value network infrastructure. The unusually sophisticated attacks set them apart from most hacktivist groups, who typically go after low-hanging targets using out-of-the-box tools and create uninteresting results.

In the Spring of 2023, GhostSec made headlines after sabotaging 11 Global Navigation Satellite System (GNSS) devices, which gave them the ability to wipe data from each one, as well as disable any future data acquisition from the satellites.

However, GhostSec’s current attack, although similar to this previous one, was slightly different.

“The GNSS receivers were mostly images or used for general purposes. This time, we targeted eight specific satellites and successfully managed to hit two of them, which had a much larger impact in this scenario.”

GhostSec’s Telegram channel reveals an ideologically driven narrative behind its renewed resurgence of interest in hacking satellites. On June 13th, GhostSec noted the oppression in Palestine and Israel’s continued escalation of wrongdoing.

“Besides shutting down over 500+ Websites and counting, we present even more attacks. We have hit over 100 Modbus PLC devices affecting their industrial and OT systems all over the country. We have hacked over 40 Aegis 2 water devices, defacing some of them. And completely messing with the settings of the rest, eventually shutting them down completely.”

“We have hacked eight Unitronics devices, and after the absolute abuse of the systems, shut them down too. We have hacked a total of 10 VSAT devices belonging to Israel, specifically the satellites we mentioned briefly in our previous posts, affecting Satellites directly owned by Israel and the military.”

ADVERTISEMENT

“We have a history of attacking Israel, all our previous attacks, breaches, and much more. Our totalling record of 700+ devices hacked in the past year alone says a lot, but today we provide a large-scale attack to continue the pressure being applied on them.”

The post ends with a statement of solidarity with Palestine.

Earlier posts from June 11th show the group’s OSINT (Open Source Intelligence) skills, where they post a list of Israeli satellite systems and their strategic value. For example, the satellite system SatTrooper-1000, developed by Gilat Satellite Networks, is used by manpack terminals utilized for ground troops' communications.

While this is publicly available information, GhostSec is evidently compiling a military SATCOM target dossier like a digital “wish list.”

Psychological framing

Furthermore, the group’s use of propaganda as a psychological amplifier carries an element of psychological warfare. Unlike other groups I have personally observed, GhostSec's delivery of news to its 3,607 Telegram subscribers is arguably unique.

Most groups tend to copy/paste what I call “news vomit,” which acts as an emotional amplifier, filled with half-truths, unverified claims, and just poor news reporting. Consequently, members respond to it emotionally, not tactically. They fuel the feeling of desperation, which is why so many hacktivist groups don’t accomplish anything interesting or even news-worthy.

GhostSec’s confident, direct tone, combined with their precision and control, cultivates a completely different response, typically referred to as information dominance through authoritative framing. They may not even be fully aware of this, but their confidence serves as a badge of merit.

The way GhostSec discusses its ideals and objectives carries a strong psychological impact. To the State of Israel, it could create the perception that its secure, encrypted systems are being analyzed and prepared for attack.

To GhostSec’s many supporters, the group projects sophistication and research capability, reinforcing its legitimacy. They achieve this not by asking questions or speculating, but by presenting classified-grade information as if it were theirs to command, framing the entire scenario as a matter-of-fact.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Google may drop its latest devices at the end of this summer
Modern misogyny: AI advises women to seek lower salaries than men
Meta AI leak gave access to AI prompts and answers from other users
TikTok, AliExpress, and WeChat violate EU privacy laws, data protection group claims
Three-person IVF helps prevent inherited diseases, scientists say
China-linked hackers ramp up attacks on Taiwan’s chip industry, researchers report
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked