This is an European Space Agency Space instance of the MITRE ATT&CK Website.

TECHNIQUES

Active Scanning (RF/Optical)

Telecommand Protocol Scanning

Telemetry Protocol Scanning

Mission specific channel scanning

Remote Vulnerability Scanning

Gather Victim Mission Information

Search Closed Sources

Spear Phishing attacks

Open Source Intelligence (OSINT)

Gather Victim Org Information

Search Closed Sources

Open Source Intelligence (OSINT)

Spear Phishing attacks

In orbit proximity intelligence

Optical (visual) reconnaissance

Electromagnetic reconnaissance

Telemetry Protocol Interception

Telecommand Protocol Interception

Mission specific Channel Interception

Traffic Analysis

Passive Interception (RF/Optical)

Telecommand Protocol Interception

Telemetry Protocol Interception

Mission specific Channel Interception

Traffic Analysis

Phishing for Information

Spear Phishing to Ground Segment Operators

Spear Phishing to Industry/Space Agencies

Resource Development

Acquire or Build Infrastructure

Acquire Ground-station/ Ground segment

Acquire jamming equipment

Acquire Satellite

Rent ground segment as a service

Compromise Account

Compromise Infrastructure

Compromise Ground Segment

Compromise Satellite(s)

Develop/Obtain Capabilities

Code Signing Certificates

Digital Certificates

DSSS or Frequency hopping sequence

Malicious supply chain capabilities

Software vulnerabilities

Space Protocol Vulnerabilities

Tools for attacking space systems

TC/TM request forging

Cryptographic Keys

Direct Attack to Space Communication Links

Exploitation of clear mode (also known as safe mode)

Record and replay TC/TM or mission specific packets

Ground Segment Compromise

Logical compromise

Physical compromise

Supply Chain Compromise

Compromise Software Dependencies and Development Tools

Compromise Software Supply Chain

Compromise Hardware Supply Chain

Trusted Relationship

External Entities interconnected to main mission

Federated missions

Interconnected spacecrafts

Valid Credentials

Steal cryptographic keys

Forge Digital Certificates

Brute force attack against TC channel or mission channel

Modification of On Board Control Procedures modification

Payload Exploitation to Execute Commands

Backdoor Installation

Hardcoded credentials and/or keys

Integration of custom malicious hardware

OBSW modification

Transponder reconfiguration

Payload modification

Key Management Infrastructure Manipulation

Replace / generate new Session Keys

Replace / generate new Master Keys

System Firmware Exploitation

Valid Credentials

Steal cryptographic keys

Forge Digital Certificates

Brute force attack against TC channel or mission channel

Privilege Escalation

Become Avionics Bus Master

Exploitation of vulnerabilities

Defense Evasion

Impair Defenses

Triggering the clear mode

Indicator Removal on Host

Clear Log/Command History

System Firmware Exploitation

Credential Access

Adversary in the Middle

Lower Orbit Satellites, or Drones

TC Brute Forcing

Communication Link Sniffing

Retrieve TT&C master/session keys

Compromise of Key Management Facility

Cryptographic Key Corruption

Interception of Key Management Communication

Key Management Policy Discovery

Spacecraft's Components Discovery

System Service Discovery

Trust Relationships Discovery

Lateral Movement

Compromise a Payload after compromising the main satellite platform

Compromise of another partition in Time and Space Partitioning OS or other types of satellite hypervisors

Compromise the satellite platform starting from a compromised payload

Lateral Movement via common Avionics Bus

Adversary in the Middle

Unauthenticated gateway or unauthenticated interplanetary node

Satellite constellation

Data from link eavesdropping

Payload eavesdropping

Range Data eavesdropping

TC/TM eavesdropping

Command and Control

Protocol Tunnelling

Telecommand a Spacecraft

Telecommand within a spacecraft

Telecommand capabilties

Exfiltration Over Payload Channel

Exfiltration Over TM Channel

Optical link modification

RF modification

Side-channel exfiltration

Data Manipulation

Stored Data Manipulation

Transmitted Data Manipulation

Runtime Data Manipulation

Ground Segment Jamming

Jamming from the ground

Loss of spacecraft telecommanding

Replacement of authentication keys

Permanent loss to telecommand satellite

Replace session and master keys

Resource damage

Space Debris Impact

Physical sabotage

Intentional collision with other satellites

Destruction of sensors

Destruction of receivers

Breakdown of counterfeit components

Kinetic attacks

Resource Hijacking

Saturation of Inter Satellite Links

Coremelt attacks

Saturation/Exhaustion of Spacecraft Resources

Receiver flooding

Avionics Bus Flooding

OBC overloading

Drain satellite's power

Waste of propellant

Ground system loss

Disabling Payload Service

Spacecraft Jamming

Receiver lock on a spurious carrier

Optical Jamming (Links/Sensor Blinding)

SDR buffer overflow

Temporary loss to telecommand satellite

Replace session keys

Transmitted Data Manipulation

Indicator Removal on Host: Clear Log/Command History

If a log is available, an attacker can delete logging onboard the spacecraft to hide illegitimate operations (a TC log service is usually not implemented). ^[1]

ID: T1070.001

Sub-technique of: T1070

ⓘ

Tactic: Defense Evasion

ⓘ

Platforms: Ground Segment, Space Segment

Version: 2.0

Created: 25 August 2022

Last Modified: 05 February 2025

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

References

The MITRE Corporation. (2015-2022). MITRE ATT&CK® Retrieved September 27, 2022.