Accessing a system is the first step that an attacker performs against it, after the preparatory phase. He can use various techniques to gain the foothold in the system, and then to continue with his malicious operations.While adversaries techniques of Initial Access tactic for space segment does have some commonalities with the IT domain, as for example potential supply chain compromise and exploitation of trust relationships (if any), most of them are quite different, due to the nature of the space systems. In order to get an initially access to a spacecraft, the main ways (except from the aforementioned ones) are through a compromised ground segment (that controls the spacecraft), or by getting access directly to the spacecraft by using stolen/compromised cryptographic keys or safe mode.
The attacker can target the ground station or try to get into the space component. Due to the unreachability of this last component, initial access techniques are usually related to a physical access before the launch or to the violation of communication channels.
ID | Name | Description | |
T2008 | Direct Attack to Space Communication Links | An attacker can leverage communication channels to initially access a resource, using TT&C or a payload channel, opening a communication link to compromise the victim system. An attacker can perform different actions. | |
.004 | Exploitation of clear mode (also known as safe mode) | An attacker can exploit the TC channel if a spacecraft is in clear mode, e.g., during safe mode of operation. | |
.006 | Record and replay TC/TM or mission specific packets | An attacker can record and replay TC/TM packets to deceive the spacecraft or the ground station, causing an unexpected behavior or an erroneous evaluation of the spacecraft status. An attacker can gain access to the data exchanged in a payload channel or even spoof TC. Usually the TM replay doesn't cause an impact, unless timing information are transmitted. | |
T2030 | Ground Segment Compromise | Adversaries may compromise Ground Segment using it as a steppingstone to get Initial Access to the Space Segment and the system in general. If an attacker can get access into a Ground Segment that control the targeted spacecraft, then through it he can potentially compromise the spacecraft itself. Ground segment compromise can either by logical, or physical. | |
.001 | Logical compromise | There can be various ways of Ground Segment compromise, that resemble a lot MITRE ATT&CKĀ® Enterprise methods, which are beyond the scope of this work. | |
.002 | Physical compromise | An attacker can exploit missing physical security ( eg. facilities not protected with physical barriers). | |
T1195 | Supply Chain Compromise | Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. | |
.001 | Compromise Software Dependencies and Development Tools | Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. | |
.002 | Compromise Software Supply Chain | Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. | |
.003 | Compromise Hardware Supply Chain | An attacker can replace an hardware component in the supply chain with a custom or counterfeit part, to damage the system or to use it as a future backdoor. An attacker can also induce the intentional use of a not genuine HW component to reduce the system reliability. | |
T2039 | Trusted Relationship | An attacker can compromise another system which can be used to get access to an interconnected one by exploiting a trusted relationship between the two. In space missions context this can be e.g. in case of Federated missions. | |
.001 | External Entities interconnected to main mission | An attacker can compromise the system of a contractor company, to steal, modify or damage resources. A scientific or another connected company/research institution can be compromised for the same objective. Connected networks or data exchanges can be leveraged to propagate the attack. | |
.002 | Federated missions | TBD | |
.003 | Interconnected spacecrafts | An attacker cam leverage the interconnection to another spacecraft to compromise it in to order to, in the end, compromise the target | |
T2009 | Valid Credentials | Adversaries may obtain and abuse credentials to gain Initial Access or Persistence in a space resource. Compromised credentials may be used to bypass access controls placed on systems within the network and to decrypt communication, to send authenticate messages and to take control of the spacecraft. Gained credentials may even be used for persistent access to the resource. | |
.001 | Steal cryptographic keys | Adversaries may obtain and abuse master or session keys to gain Initial Access or Persistence. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to communication channels. | |
.002 | Forge Digital Certificates | If an attacker gains control of the credential-management system and issues credentials, he can access the system and maintain a persistent control on it. There is a need to invalidate existing credentials and reissue all credentials. CCSDS recommends two forms of credentials: X.509 certificates and protected simple authentication. The authenticity of an X.509 certificate is dependent upon the digital signature of the CA attesting to the credential. If the digital signature algorithm used by the CA is of insufficient cryptographic strength, a credential may be spoofed. | |
.003 | Brute force attack against TC channel or mission channel | An attacker can use brute force to gain access to a TC channel, to force encryption or to guess the valid commands. |