At the reconnaissance phase the adversary tries to gather information for the targeted system that could be useful at the later stages of an attack . A good intelligence related with the target system allows the adversary to find the most critical assets and weakest links, information to be stolen, the services that can be attacked and the damage that can be caused. The information gathering includes active and passive techniques. While some techniques can be same with typical IT systems, like gathering information for victim’s organisations, and other techniques resembling them, like scanning, there is a difference in the last ones due to the nature of space missions. For instance, interception, active or passive, is mainly RF or optical based, due to the nature of the space communication links . On the contrary, some other like wordlist scanning or IP scanning typically used in IT world do not really make sense for space systems , at least for the traditional ones (this may change for new systems like Starlink or other that offer Internet connectivity via large Low Earth Orbit constellations). Finally, there are space-specific techniques like the in-orbit proximity intelligence one, while others, like remote vulnerability scanning may be applicable only for ‘New Space’ systems and only after remote access has been achieved.
ID | Name | Description | |
T2001 | Active Scanning (RF/Optical) | The technique is the same of the Passive Interception, the difference is that the attacker initiates interaction with the space target trying to trigger potential responses (even error messages) by actively sending signals/packets. The scan can be similar to a "brute force" attack, in the sense that the objective is ‘guess’ the used frequencies and protocols to obtain a reply. This is why authentication is also included here as a mitigation measure (provided that it does not solicit any response to not authenticated signals). On the other hand, since sending telemetry data won’t trigger any response due to their nature (even if they are fully compliant with the expected format), are not included here as a subtechniques. | |
.001 | Telecommand Protocol Scanning | An attacker tries to gain knowledge about the Telecommand implementation, including the authentication and encryption status. | |
.002 | Telemetry Protocol Scanning | An attacker tries to gain knowledge about the Telemetry implementation, including the authentication and encryption status. | |
.003 | Mission specific channel scanning | An attacker tries to gain knowledge about a payload dedicated channel communication, peculiar in a specific mission. The channel can be managed by a different company than the owner of the satellite. Scanning includes authentication/encryption schemes and medium access control. | |
.004 | Remote Vulnerability Scanning | As ‘New Space’ missions are typically using COTS or OSS, remote vulnerability scanning can also be a technique (may require authentication). | |
T2002 | Gather Victim Mission Information | An attacker tries to gather information about a specific mission to target it. An attacker can find information about firmware, software, hardware, frequencies, protocols, cryptographic algorithms, spacecraft descriptors used in a mission, and other knowledge like the spacecraft design, architecture, position and trajectory. The application of this technique in the supply chain can lead to a software/tools/datasheets or a design leak. If COTS or open-source components are used, information can be easily gathered online or from the producing company. | |
.009 | Search Closed Sources | Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime black-markets. | |
.010 | Spear Phishing attacks | Spear Phishing attacks, targeting engineers, etc., to get information about the design, technologies used, etc. Spear Phishing attacks can be performed by using any of the techniques mentioned in T1598 | |
.011 | Open Source Intelligence (OSINT) | An attacker can purchased relevant information from open sources like available websites or social media, published documents, etc. | |
T1591 | Gather Victim Org Information | Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees. | |
.005 | Search Closed Sources | Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime black-markets. | |
.006 | Open Source Intelligence (OSINT) | An attacker can purchased relevant information from open sources like available websites or social media, published documents, etc. | |
.007 | Spear Phishing attacks | Spear Phishing attacks, targeting engineers, etc., to get information about the design, technologies used, etc. Spear Phishing attacks can be performed by using any of the techniques mentioned in T1598 | |
T2029 | In orbit proximity intelligence | The attacker, mainly a military organization, can use satellites positioned in proximity to the victim satellite to gather information, visual or radio, on the satellite's capability or on its work. | |
.001 | Optical (visual) reconnaissance | Proximity intelligence can be visual, with cameras or other optical sensors, to gain information about satellite's hardware. | |
.002 | Electromagnetic reconnaissance | Proximity intelligence can be electromagnetic, using antennas to intercept communications or to measure other EM emissions to attempt a side-channel attack. | |
.003 | Telemetry Protocol Interception | An attacker tries to gain knowledge about the Telemetry implementation, including the authentication and encryption status. | |
.004 | Telecommand Protocol Interception | An attacker tries to gain knowledge about the Telecommand implementation, including the authentication and encryption status . While the signal is weak, the proximity to the legitimate recipient may render it more suitable in case very narrow beams are used. | |
.005 | Mission specific Channel Interception | An attacker tries to gain knowledge about a payload dedicated channel communication, peculiar in a specific mission. The channel can be managed by a different company than the owner of the satellite. Interception includes authentication/encryption schemes and medium access control. | |
.006 | Traffic Analysis | The attacker intends to determine which entities are communicating with each other without the ability to access the communicated information. | |
T2004 | Passive Interception (RF/Optical) | An attacker tries to gain knowledge about which communication protocols are used and how, looking for manners to exploit them. This can be executed intercepting, recording, and analyzing the signal to extract as more information as possible on the communication protocols. For example, different protocols can apply SDLS security to a part of the services. Optical link can be used for satellite feeder and intersat links, for some special payloads, or for deep space communications (availability problem caused by clouds should be considered if the receiver is on the Earth). If the downlink signal is sent by a far spacecraft, the beam covers a large ground area on the Earth, and the possible scanning area is extended. Receiving a satellite signal is simple and cheap, various open-source projects exist, e.g., NyanSat. | |
.001 | Telecommand Protocol Interception | An attacker tries to gain knowledge about the Telecommand implementation, including the authentication and encryption status. | |
.002 | Telemetry Protocol Interception | An attacker tries to gain knowledge about the Telemetry implementation, including the authentication and encryption status. | |
.003 | Mission specific Channel Interception | An attacker tries to gain knowledge about a payload dedicated channel communication, peculiar in a specific mission. The channel can be managed by a different company than the owner of the satellite. Interception includes authentication/encryption schemes and medium access control. | |
.005 | Traffic Analysis | The attacker intends to determine which entities are communicating with each other without the ability to access the communicated information. | |
T1598 | Phishing for Information | "Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information." . Gathering data from the victim is the final objective. | |
.001 | Spear Phishing to Ground Segment Operators | The attack can target Ground Segment operators, to gain information useful to target the Ground Segment later. | |
.002 | Spear Phishing to Industry/Space Agencies | The attack can target Industries or Space Agencies, that are involved in development, and it could result in information leaking, that can be used to target the attack or to produce some specific hardware. In this last case it can even affect supply chain. |