During Resource Development, the adversary is trying to establish resources they can use to support operations. It includes adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting. These resources can be leveraged by the adversary to aid in other phases of the adversary lifecycle .The techniques of Resource Development tactic are to a great extent the same used in IT attacks and reflected in MITRE ATT&CK matrix; what it really differs, are the sub-techniques, which are space specific.
ID | Name | Description | |
T1583 | Acquire or Build Infrastructure | An attacker can acquire a Ground Segment, a Ground Station service (e.g. Amazon service ), satellite(s), or other infrastructure that can be useful to his attacking plans. Such an infrastructure can be a set of antennas, lasers, Software Defined Radios (SDR) or other equipment able to transmit the desired signals. Such equipment can be fixed on ground, mounted on vehicles like trucks, ships, aircraft, or also installed on board of satellites. | |
.001 | Acquire Ground-station/ Ground segment | Build a new ground station or gaining control of an existing one. | |
.003 | Acquire jamming equipment | Antennas, lasers, or other equipment able to jam a radio or visible-light frequency can be useful to prevent communication or an image acquisition. These instruments can be fixed on ground, mounted on vehicles like trucks, ships, aircraft, or also installed on board of satellites. | |
.004 | Acquire Satellite | Launching a new satellite or gaining control of an existing satellite. | |
.005 | Rent ground segment as a service | Building it, or renting a cloud based Ground Segment (e.g., AWS) | |
T2038 | Compromise Account | For Space Segment, the accounts are typically the cryptographic keys used to authenticate the execution of telecommands at a spacecraft. | |
.001 | Brute forcing | Brute force telecommand access to satellite by trying different keys | |
T1584 | Compromise Infrastructure | It is similar to the acquisition of the infrastructure T1583 with the difference that in these cases adversaries break into them by compromising their security. They can get access to a ground segment, gain control of satellites, etc. Compromised satellites cam be used, apart from the ‘typical’ attacks, also e.g. for kinetic attacks, for creating botnets (e.g. for RF jamming, etc.). Such a threat is even bigger in case of compromise of numerous satellites part of a large LEO constellation of a ‘New Space’ mission. | |
.001 | Compromise Ground Segment | If a Ground System is located in a remote area with limited physical security controls, a physical violation of the site is possible. There should be authentication systems implemented that make difficult to use it without a proper authorization. | |
.002 | Compromise Satellite(s) | Compromised or malicious satellites might be abused by adversaries to achieve kinetic effects on other satellites in orbit, such as sensor interference or manipulation. | |
T2007 | Develop/Obtain Capabilities | Adversaries may build, buy or steal capabilities that can be used during targeting. | |
.002 | Code Signing Certificates | Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with. Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. | |
.003 | Digital Certificates | CCSDS recommends two forms of credentials: X.509 certificates and protected simple authentication. There are risks for CCSDS systems utilizing credentials if an attacker gains control of the credential-management system and can issue credentials. If a compromised credential management process results, then there is a need to invalidate existing credentials and reissue all credentials. The authenticity of an X.509 certificate is dependent upon the digital signature of the CA attesting to the credential. If the digital signature algorithm used by the CA is of insufficient cryptographic strength, a credential may be spoofed. | |
.004 | DSSS or Frequency hopping sequence | An attacker can guess the Spread Spectrum or the frequency hopping sequence, to reconstruct the received signal. | |
.005 | Malicious supply chain capabilities | Obtain or create malicious capabilities inside hardware or software intended to be used in a specific project. Injecting the malicious HW/SW in the right place is difficult, is also difficult being sure that the part will be integrated in a system. | |
.006 | Software vulnerabilities | Exploiting unpatched/Outdated/Legacy COTS software deployed among the platform. COTS products are often highly complex, some of them involving tens of millions of lines of code, so that no one knows their content and behavior in detail. SDRs introduce protocol-independent software vulnerabilities into the communication system. | |
.008 | Space Protocol Vulnerabilities | Adversaries may acquire information about vulnerabilities that can be used during targeting. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases. | |
.009 | Tools for attacking space systems | An attacker can also develop or obtain tools that can be used to attack a space system. For example, tools can help with vulnerabilities research and tests. | |
.010 | TC/TM request forging | An attacker can obtain capabilities to forge TC/TM or mission specific frames. | |
.011 | Cryptographic Keys | An attacker can obtain master or session cryptographic keys or other cryptographic information used for authentication, encryption, etc. |