Resource Development

During Resource Development, the adversary is trying to establish resources they can use to support operations. It includes adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting. These resources can be leveraged by the adversary to aid in other phases of the adversary lifecycle .The techniques of Resource Development tactic are to a great extent the same used in IT attacks and reflected in MITRE ATT&CK matrix; what it really differs, are the sub-techniques, which are space specific.

ID: TA0042
Created: 25 August 2022
Last Modified: 14 April 2023

Techniques

Techniques: 4
ID Name Description
T1583 Acquire or Build Infrastructure An attacker can acquire a Ground Segment, a Ground Station service (e.g. Amazon service ), satellite(s), or other infrastructure that can be useful to his attacking plans. Such an infrastructure can be a set of antennas, lasers, Software Defined Radios (SDR) or other equipment able to transmit the desired signals. Such equipment can be fixed on ground, mounted on vehicles like trucks, ships, aircraft, or also installed on board of satellites.
.001 Acquire Ground-station/ Ground segment Build a new ground station or gaining control of an existing one.
.003 Acquire jamming equipment Antennas, lasers, or other equipment able to jam a radio or visible-light frequency can be useful to prevent communication or an image acquisition. These instruments can be fixed on ground, mounted on vehicles like trucks, ships, aircraft, or also installed on board of satellites.
.004 Acquire Satellite Launching a new satellite or gaining control of an existing satellite.
.005 Rent ground segment as a service Building it, or renting a cloud based Ground Segment (e.g., AWS)
T2038 Compromise Account For Space Segment, the accounts are typically the cryptographic keys used to authenticate the execution of telecommands at a spacecraft.
.001 Brute forcing Brute force telecommand access to satellite by trying different keys
T1584 Compromise Infrastructure It is similar to the acquisition of the infrastructure T1583 with the difference that in these cases adversaries break into them by compromising their security. They can get access to a ground segment, gain control of satellites, etc. Compromised satellites cam be used, apart from the ‘typical’ attacks, also e.g. for kinetic attacks, for creating botnets (e.g. for RF jamming, etc.). Such a threat is even bigger in case of compromise of numerous satellites part of a large LEO constellation of a ‘New Space’ mission.
.001 Compromise Ground Segment If a Ground System is located in a remote area with limited physical security controls, a physical violation of the site is possible. There should be authentication systems implemented that make difficult to use it without a proper authorization.
.002 Compromise Satellite(s) Compromised or malicious satellites might be abused by adversaries to achieve kinetic effects on other satellites in orbit, such as sensor interference or manipulation.
T2007 Develop/Obtain Capabilities Adversaries may build, buy or steal capabilities that can be used during targeting.
.002 Code Signing Certificates Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with. Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
.003 Digital Certificates CCSDS recommends two forms of credentials: X.509 certificates and protected simple authentication. There are risks for CCSDS systems utilizing credentials if an attacker gains control of the credential-management system and can issue credentials. If a compromised credential management process results, then there is a need to invalidate existing credentials and reissue all credentials. The authenticity of an X.509 certificate is dependent upon the digital signature of the CA attesting to the credential. If the digital signature algorithm used by the CA is of insufficient cryptographic strength, a credential may be spoofed.
.004 DSSS or Frequency hopping sequence An attacker can guess the Spread Spectrum or the frequency hopping sequence, to reconstruct the received signal.
.005 Malicious supply chain capabilities Obtain or create malicious capabilities inside hardware or software intended to be used in a specific project. Injecting the malicious HW/SW in the right place is difficult, is also difficult being sure that the part will be integrated in a system.
.006 Software vulnerabilities Exploiting unpatched/Outdated/Legacy COTS software deployed among the platform. COTS products are often highly complex, some of them involving tens of millions of lines of code, so that no one knows their content and behavior in detail. SDRs introduce protocol-independent software vulnerabilities into the communication system.
.008 Space Protocol Vulnerabilities Adversaries may acquire information about vulnerabilities that can be used during targeting. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.
.009 Tools for attacking space systems An attacker can also develop or obtain tools that can be used to attack a space system. For example, tools can help with vulnerabilities research and tests.
.010 TC/TM request forging An attacker can obtain capabilities to forge TC/TM or mission specific frames.
.011 Cryptographic Keys An attacker can obtain master or session cryptographic keys or other cryptographic information used for authentication, encryption, etc.