TECHNIQUES

Space

Reconnaissance

Active Scanning (RF/Optical)

Telecommand Protocol Scanning

Telemetry Protocol Scanning

Mission specific channel scanning

Remote Vulnerability Scanning

Gather Victim Mission Information

Search Closed Sources

Spear Phishing attacks

Open Source Intelligence (OSINT)

Gather Victim Org Information

Search Closed Sources

Open Source Intelligence (OSINT)

Spear Phishing attacks

In orbit proximity intelligence

Optical (visual) reconnaissance

Electromagnetic reconnaissance

Telemetry Protocol Interception

Telecommand Protocol Interception

Mission specific Channel Interception

Traffic Analysis

Passive Interception (RF/Optical)

Telecommand Protocol Interception

Telemetry Protocol Interception

Mission specific Channel Interception

Traffic Analysis

Phishing for Information

Spear Phishing to Ground Segment Operators

Spear Phishing to Industry/Space Agencies

Resource Development

Acquire or Build Infrastructure

Acquire Ground-station/ Ground segment

Acquire jamming equipment

Acquire Satellite

Rent ground segment as a service

Compromise Account

Brute forcing

Compromise Infrastructure

Compromise Ground Segment

Compromise Satellite(s)

Develop/Obtain Capabilities

Code Signing Certificates

Digital Certificates

DSSS or Frequency hopping sequence

Malicious supply chain capabilities

Software vulnerabilities

Space Protocol Vulnerabilities

Tools for attacking space systems

TC/TM request forging

Cryptographic Keys

Initial Access

Direct Attack to Space Communication Links

Exploitation of clear mode (also known as safe mode)

Record and replay TC/TM or mission specific packets

Ground Segment Compromise

Logical compromise

Physical compromise

Supply Chain Compromise

Compromise Software Dependencies and Development Tools

Compromise Software Supply Chain

Compromise Hardware Supply Chain

Trusted Relationship

External Entities interconnected to main mission

Federated missions

Interconnected spacecrafts

Valid Credentials

Steal cryptographic keys

Forge Digital Certificates

Brute force attack against TC channel or mission channel

Execution

Modification of On Board Control Procedures modification

Native API

Payload Exploitation to Execute Commands

Persistence

Backdoor Installation

Hardcoded credentials and/or keys

Integration of custom malicious hardware

OBSW modification

Transponder reconfiguration

Payload modification

Key Management Infrastructure Manipulation

Replace / generate new Session Keys

Replace / generate new Master Keys

Pre-OS Boot

System Firmware Exploitation

Valid Credentials

Steal cryptographic keys

Forge Digital Certificates

Brute force attack against TC channel or mission channel

Privilege Escalation

Become Avionics Bus Master

Escape to Host

Exploitation of vulnerabilities

Defense Evasion

Impair Defenses

Triggering the clear mode

Indicator Removal on Host

Clear Log/Command History

Masquerading

Pre-Os Boot

System Firmware Exploitation

Credential Access

Adversary in the Middle

Lower Orbit Satellites, or Drones

Brute Force

TC Brute Forcing

Communication Link Sniffing

RF sniffing

Retrieve TT&C master/session keys

Compromise of Key Management Facility

Cryptographic Key Corruption

Interception of Key Management Communication

Discovery

Key Management Policy Discovery

Spacecraft's Components Discovery

System Service Discovery

Trust Relationships Discovery

Lateral Movement

Compromise a Payload after compromising the main satellite platform

Compromise of another partition in Time and Space Partitioning OS or other types of satellite hypervisors

Compromise the satellite platform starting from a compromised payload

Inter-Task Compromise

Inter-Application Compromise

Lateral Movement via common Avionics Bus

Collection

Adversary in the Middle

Unauthenticated gateway or unauthenticated interplanetary node

Satellite constellation

Data from link eavesdropping

Payload eavesdropping

Range Data eavesdropping

TC/TM eavesdropping

Command and Control

Protocol Tunnelling

Telecommand a Spacecraft

Telecommand within a spacecraft

Replay attacks

Telecommand capabilties

TT&C over ISL

Exfiltration

Exfiltration Over Payload Channel

Exfiltration Over TM Channel

Optical link modification

RF modification

Side-channel exfiltration

Impact

Data Manipulation

Stored Data Manipulation

Transmitted Data Manipulation

Runtime Data Manipulation

Ground Segment Jamming

Jamming from the ground

Loss of spacecraft telecommanding

Replacement of authentication keys

Permanent loss to telecommand satellite

Replace session and master keys

Resource damage

Space Debris Impact

Physical sabotage

Intentional collision with other satellites

Destruction of sensors

Destruction of receivers

Breakdown of counterfeit components

Kinetic attacks

Resource Hijacking

Saturation of Inter Satellite Links

Coremelt attacks

Saturation/Exhaustion of Spacecraft Resources

Receiver flooding

Avionics Bus Flooding

OBC overloading

Drain satellite's power

Waste of propellant

RTOS Scheduler Compromise

Hypervisor Scheduling Compromise

Service Stop

Ground system loss

Disabling Payload Service

Spacecraft Jamming

Receiver lock on a spurious carrier

Optical Jamming (Links/Sensor Blinding)

SDR buffer overflow

Temporary loss to telecommand satellite

Replace session keys

Transmitted Data Manipulation

Service Stop

Sub-techniques (2)

ID	Name
T1489.001	Ground system loss
T1489.002	Disabling Payload Service

An attacker can interrupt services, disabling them or taking control over them. ^[1]

ID: T1489

Sub-techniques: T1489.001, T1489.002

ⓘ

Tactic: Impact

ⓘ

Platforms: Ground Segment, Space Segment

Version: 2.0

Created: 25 August 2022

Last Modified: 05 February 2025

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

References

The MITRE Corporation. (2015-2022). MITRE ATT&CK® Retrieved September 27, 2022.