Techniques represent 'how' an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access.
| ID | Name | Description | |
| T1583 | Acquire or Build Infrastructure | An attacker can acquire a Ground Segment, a Ground Station service (e.g. Amazon service ), satellite(s), or other infrastructure that can be useful to his attacking plans. Such an infrastructure can be a set of antennas, lasers, Software Defined Radios (SDR) or other equipment able to transmit the desired signals. Such equipment can be fixed on ground, mounted on vehicles like trucks, ships, aircraft, or also installed on board of satellites. | |
| .001 | Acquire Ground-station/ Ground segment | Build a new ground station or gaining control of an existing one. | |
| .003 | Acquire jamming equipment | Antennas, lasers, or other equipment able to jam a radio or visible-light frequency can be useful to prevent communication or an image acquisition. These instruments can be fixed on ground, mounted on vehicles like trucks, ships, aircraft, or also installed on board of satellites. | |
| .004 | Acquire Satellite | Launching a new satellite or gaining control of an existing satellite. | |
| .005 | Rent ground segment as a service | Building it, or renting a cloud based Ground Segment (e.g., AWS) | |
| T2001 | Active Scanning (RF/Optical) | The technique is the same of the Passive Interception, the difference is that the attacker initiates interaction with the space target trying to trigger potential responses (even error messages) by actively sending signals/packets. The scan can be similar to a "brute force" attack, in the sense that the objective is 'guess' the used frequencies and protocols to obtain a reply. This is why authentication is also included here as a mitigation measure (provided that it does not solicit any response to not authenticated signals). On the other hand, since sending telemetry data won't trigger any response due to their nature (even if they are fully compliant with the expected format), are not included here as a subtechniques. | |
| .001 | Telecommand Protocol Scanning | An attacker tries to gain knowledge about the Telecommand implementation, including the authentication and encryption status. | |
| .002 | Telemetry Protocol Scanning | An attacker tries to gain knowledge about the Telemetry implementation, including the authentication and encryption status. | |
| .003 | Mission specific channel scanning | An attacker tries to gain knowledge about a payload dedicated channel communication, peculiar in a specific mission. The channel can be managed by a different company than the owner of the satellite. Scanning includes authentication/encryption schemes and medium access control. | |
| .004 | Remote Vulnerability Scanning | As 'New Space' missions are typically using COTS or OSS, remote vulnerability scanning can also be a technique (may require authentication). | |
| T2042 | Adversary in the Middle | Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique. | |
| .001 | Lower Orbit Satellites, or Drones | An attacker can take advantage of a drone or any satellite located between the target and the ground station to sniff the communication link. | |
| T1557 | Adversary in the Middle | Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique. | |
| .001 | Unauthenticated gateway or unauthenticated interplanetary node | If unauthenticated gateways or unauthenticated interplanetary nodes are used, an adversary can substitute them with an own resource, to collect or modify transmitted data. | |
| .002 | Satellite constellation | A satellite with stolen credential can take place into a dynamic constellation and collect data. | |
| T2014 | Backdoor Installation | An attacker can interfere with the hardware or the software, integrating or modifying the existing software, hardware configuration or the transponder configuration to permit himself a future access to the resource. | |
| .001 | Hardcoded credentials and/or keys | The attacker can hardcode credentials during the supply chain phase with custom, to have a secure access to the resource if the component is integrated in the system. | |
| .002 | Integration of custom malicious hardware | Replacement of a product in the supply chain with a custom or counterfeit part to damage the system or to use it as a future backdoor. | |
| .003 | OBSW modification | An attacker can modify the OBSW to permit a future access on the resource with a software backdoor. | |
| .004 | Transponder reconfiguration | An attacker can change the transponder configuration to permit a future radio access on the resource. | |
| .005 | Payload modification | An attacker can also modify the payload hardware, software or configuration to create a future access on the payload itself, either to target it or to use it against the whole resource. | |
| T2031 | Become Avionics Bus Master | An attacker can use a compromised device connected to an Avionics Bus to interact with the line and force the election to become the Bus master. This role can be used to disrupt the communication between other nodes. | |
| T2043 | Brute Force | Adversaries may use brute force techniques to issue Telecommands and identify the used key(s). | |
| .001 | TC Brute Forcing | An attacker can use brute force to gain access to a TC channel, to force encryption or to guess the valid commands. | |
| T2044 | Communication Link Sniffing | Adversaries may sniff the communication link to attempt to capture information about an environment, including authentication material passed over the network. | |
| .001 | RF sniffing | An attacker can sniff the radio frequency channels to capture potential authentication material. | |
| T2045 | Compromise a Payload after compromising the main satellite platform | An attacker can exploit vulnerabilities in the main satellite platform to gain access to its payload. This could involve modifying or taking control of the payload's hardware or software, either to disable it, manipulate its data, or use it for further exploitation. This compromise can happen if the main satellite's integrity is compromised and the attacker uses that foothold to access and manipulate payload operations or functionality. | |
| T2038 | Compromise Account | For Space Segment, the accounts are typically the cryptographic keys used to authenticate the execution of telecommands at a spacecraft. | |
| .001 | Brute forcing | Brute force telecommand access to satellite by trying different keys | |
| T1584 | Compromise Infrastructure | It is similar to the acquisition of the infrastructure T1583 with the difference that in these cases adversaries break into them by compromising their security. They can get access to a ground segment, gain control of satellites, etc. Compromised satellites cam be used, apart from the 'typical' attacks, also e.g. for kinetic attacks, for creating botnets (e.g. for RF jamming, etc.). Such a threat is even bigger in case of compromise of numerous satellites part of a large LEO constellation of a 'New Space' mission. | |
| .001 | Compromise Ground Segment | If a Ground System is located in a remote area with limited physical security controls, a physical violation of the site is possible. There should be authentication systems implemented that make difficult to use it without a proper authorization. | |
| .002 | Compromise Satellite(s) | Compromised or malicious satellites might be abused by adversaries to achieve kinetic effects on other satellites in orbit, such as sensor interference or manipulation. | |
| T2017 | Compromise of another partition in Time and Space Partitioning OS or other types of satellite hypervisors | If a partitition is compromised, access to a critical partition can be gained through ports allowed by hypervisor. Information security is usually configured at the application level, with the execution confined to the application's partition and controlled communication with the remaining partitions. Time and Space Partitioning or other satellite hypervisor types should protect system from interferences. All communication passes through the security components, which can include monitoring and cryptographic mechanisms. | |
| T2046 | Compromise the satellite platform starting from a compromised payload | An attacker can begin by compromising the payload of a satellite, exploiting vulnerabilities in its software or hardware. From there, the attacker can escalate their access to the satellite's main platform, potentially gaining control over critical systems, communications, and payload operations. | |
| .001 | Inter-Task Compromise | A compromised task is able to exploit inadequate memory isolation policies and compromise the Confidentiality, Integrity and/or Availability of another task's assets. The two tasks are running in the same execution environment. | |
| .002 | Inter-Application Compromise | In hypervisor environments, a compromised guest application can abuse design or implementation issues to interact with another application. The results of this actions is unintended behavior of the system that could possibly corrupt the systems nominal execution and break the spatial isolation promise of the hypervisor. | |
| T2018 | Data from link eavesdropping | Adversaries can collect data transmitted over a channel, if he is able to decode and decrypt the communication. | |
| .001 | Payload eavesdropping | Adversaries can collect data transmitted over the payload channel, if it is used. | |
| .002 | Range Data eavesdropping | Adversaries can intercept range data to locate and more accurately target the victim spacecraft. Mitigation from higher level protocols (encryption to assure confidentiality). | |
| .003 | TC/TM eavesdropping | An attacker can collect and have access to data transmitted by TT&C if the communication doesn't rely on encryption. | |
| T2054 | Data Manipulation | Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making. | |
| .001 | Stored Data Manipulation | An attacker can alter or corrupt stored data within a system, such as mission control databases, payload data storage, or onboard systems. Manipulating stored data can lead to incorrect decision-making, confusion, or operational errors, especially if the data is used for mission-critical analysis or operations. Preventive measures include employing encryption, access control, and integrity-checking mechanisms to ensure the authenticity and reliability of the stored data. | |
| .002 | Transmitted Data Manipulation | an attacker can modify transmitted data, jamming or overpowering the original signal and retransmitting a modified copy to the receiver, to command a spacecraft or to lead the system owner to erroneous decision. An attacker can target the telecommands sent from a GS, to change the spacecraft behavior, or he can tamper the telemetry sent from a spacecraft to change the GS received data. Intercepted and modified range measurement sent to the control center could lead to erroneous range measurements, which could cause incorrect trajectory determination. Mitigations are redundancy/diversity to protect the source and authentication to protect the message. To protect the data source, a star sensor offers ah high level of reliability. An attacker can also target the payload data sent from or to a spacecraft. To mitigate this, Navigation Message Authentication (NMA) uses symmetric/asymmetric key encryption to provide authenticity and integrity of the navigation data to the receiver. | |
| .003 | Runtime Data Manipulation | An attacker can use a controlled payload software or component to manipulate data of that or another component during the execution, if a MMU or a MPU is not implemented or is misconfigured. Only the most recent space qualified microprocessors (LEONII/III) have a MMU available, that provides only write protection. For secure spacecraft avionics, protection against read/write and execution access is necessary. The MMU or a MPU is extremely important if the payload is not trusted. | |
| T2007 | Develop/Obtain Capabilities | Adversaries may build, buy or steal capabilities that can be used during targeting. | |
| .002 | Code Signing Certificates | Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with. Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. | |
| .003 | Digital Certificates | CCSDS recommends two forms of credentials: X.509 certificates and protected simple authentication. There are risks for CCSDS systems utilizing credentials if an attacker gains control of the credential-management system and can issue credentials. If a compromised credential management process results, then there is a need to invalidate existing credentials and reissue all credentials. The authenticity of an X.509 certificate is dependent upon the digital signature of the CA attesting to the credential. If the digital signature algorithm used by the CA is of insufficient cryptographic strength, a credential may be spoofed. | |
| .004 | DSSS or Frequency hopping sequence | An attacker can guess the Spread Spectrum or the frequency hopping sequence, to reconstruct the received signal. | |
| .005 | Malicious supply chain capabilities | Obtain or create malicious capabilities inside hardware or software intended to be used in a specific project. Injecting the malicious HW/SW in the right place is difficult, is also difficult being sure that the part will be integrated in a system. | |
| .006 | Software vulnerabilities | Exploiting unpatched/Outdated/Legacy COTS software deployed among the platform. COTS products are often highly complex, some of them involving tens of millions of lines of code, so that no one knows their content and behavior in detail. SDRs introduce protocol-independent software vulnerabilities into the communication system. | |
| .008 | Space Protocol Vulnerabilities | Adversaries may acquire information about vulnerabilities that can be used during targeting. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases. | |
| .009 | Tools for attacking space systems | An attacker can also develop or obtain tools that can be used to attack a space system. For example, tools can help with vulnerabilities research and tests. | |
| .010 | TC/TM request forging | An attacker can obtain capabilities to forge TC/TM or mission specific frames. | |
| .011 | Cryptographic Keys | An attacker can obtain master or session cryptographic keys or other cryptographic information used for authentication, encryption, etc. | |
| T2008 | Direct Attack to Space Communication Links | An attacker can leverage communication channels to initially access a resource, using TT&C or a payload channel, opening a communication link to compromise the victim system. An attacker can perform different actions. | |
| .004 | Exploitation of clear mode (also known as safe mode) | An attacker can exploit the TC channel if a spacecraft is in clear mode, e.g., during safe mode of operation. | |
| .006 | Record and replay TC/TM or mission specific packets | An attacker can record and replay TC/TM packets to deceive the spacecraft or the ground station, causing an unexpected behavior or an erroneous evaluation of the spacecraft status. An attacker can gain access to the data exchanged in a payload channel or even spoof TC. Usually the TM replay doesn't cause an impact, unless timing information are transmitted. | |
| T1611 | Escape to Host | If containers or hypervisors are used, an attacker could overcome the container fences and gain access to the host system. Separations between applications may be defeated, and malicious operations could affect other functionalities. This attack can leverage common utilities, schedulers, shared memory, or vulnerabilities. | |
| .001 | Exploitation of vulnerabilities | An attacker can exploiting unpatched/outdated containers or hypervisors to escape it | |
| T2021 | Exfiltration Over Payload Channel | Malicious software can send data through the Payload channel (if implemented). | |
| T2022 | Exfiltration Over TM Channel | Malicious software can send data through the TM channel (usually the only connection channel available). | |
| T2002 | Gather Victim Mission Information | An attacker tries to gather information about a specific mission to target it. An attacker can find information about firmware, software, hardware, frequencies, protocols, cryptographic algorithms, spacecraft descriptors used in a mission, and other knowledge like the spacecraft design, architecture, position and trajectory. The application of this technique in the supply chain can lead to a software/tools/datasheets or a design leak. If COTS or open-source components are used, information can be easily gathered online or from the producing company. | |
| .009 | Search Closed Sources | Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime black-markets. | |
| .010 | Spear Phishing attacks | Spear Phishing attacks, targeting engineers, etc., to get information about the design, technologies used, etc. Spear Phishing attacks can be performed by using any of the techniques mentioned in T1598 | |
| .011 | Open Source Intelligence (OSINT) | An attacker can purchased relevant information from open sources like available websites or social media, published documents, etc. | |
| T1591 | Gather Victim Org Information | Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees. | |
| .005 | Search Closed Sources | Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime black-markets. | |
| .006 | Open Source Intelligence (OSINT) | An attacker can purchased relevant information from open sources like available websites or social media, published documents, etc. | |
| .007 | Spear Phishing attacks |
Spear Phishing attacks, targeting engineers, etc., to get information about the design, technologies used, etc. Spear Phishing attacks can be performed by using any of the techniques mentioned in T1598 |
|
| T2030 | Ground Segment Compromise | Adversaries may compromise Ground Segment using it as a steppingstone to get Initial Access to the Space Segment and the system in general. If an attacker can get access into a Ground Segment that control the targeted spacecraft, then through it he can potentially compromise the spacecraft itself. Ground segment compromise can either by logical, or physical. | |
| .001 | Logical compromise | There can be various ways of Ground Segment compromise, that resemble a lot MITRE ATT&CK® Enterprise methods, which are beyond the scope of this work. | |
| .002 | Physical compromise | An attacker can exploit missing physical security ( eg. facilities not protected with physical barriers). | |
| T2050 | Ground Segment Jamming | An attacker can jam the communication to prevent data being delivered. TT&C: Usually is possible to wait and communicate later without noticeable problems. Proximity-1: jamming is difficult, because of high distance from Earth (upload) or the use of commercial frequencies (download jamming would affect lot of other terrestrial links). Jamming of the ranging signal could lead to the total loss of ranging data, and potential navigation errors. C&S Sublayer provides methods for frame re-synchronization. | |
| .001 | Jamming from the ground | TBD | |
| T1562 | Impair Defenses | Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This involves impairing preventative defenses and detection capabilities that defenders can use to audit activity and identify malicious behavior. | |
| .001 | Triggering the clear mode | An attacker can trigger the clear mode accessing TC or consuming its resources, , to disable or limit the security level of the spacecraft. If a 'clear mode' is implemented, the conditions under which, and by which, it is activated should be carefully analyzed, as those might introduce major security vulnerabilities. | |
| T2029 | In orbit proximity intelligence | The attacker, mainly a military organization, can use satellites positioned in proximity to the victim satellite to gather information, visual or radio, on the satellite's capability or on its work. | |
| .001 | Optical (visual) reconnaissance | Proximity intelligence can be visual, with cameras or other optical sensors, to gain information about satellite's hardware. | |
| .002 | Electromagnetic reconnaissance | Proximity intelligence can be electromagnetic, using antennas to intercept communications or to measure other EM emissions to attempt a side-channel attack. | |
| .003 | Telemetry Protocol Interception | An attacker tries to gain knowledge about the Telemetry implementation, including the authentication and encryption status. | |
| .004 | Telecommand Protocol Interception | An attacker tries to gain knowledge about the Telecommand implementation, including the authentication and encryption status . While the signal is weak, the proximity to the legitimate recipient may render it more suitable in case very narrow beams are used. | |
| .005 | Mission specific Channel Interception | An attacker tries to gain knowledge about a payload dedicated channel communication, peculiar in a specific mission. The channel can be managed by a different company than the owner of the satellite. Interception includes authentication/encryption schemes and medium access control. | |
| .006 | Traffic Analysis | The attacker intends to determine which entities are communicating with each other without the ability to access the communicated information. | |
| T1070 | Indicator Removal on Host | Adversaries may delete or modify artifacts generated on a host system to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary's actions. | |
| .001 | Clear Log/Command History | If a log is available, an attacker can delete logging onboard the spacecraft to hide illegitimate operations (a TC log service is usually not implemented). | |
| T2013 | Key Management Infrastructure Manipulation | Key infrastructures provide the technical means for managing the key life cycles as well as for the distribution of keys using security protocols or other means. If an attacker manipulates them, he can gain and maintain an authorized access to the protected resource. Encryption keys used to encrypt TM/TC can be replaced in order to gain permanent access to other functionalities, or to temporarily interrupt the owner's control. | |
| .001 | Replace / generate new Session Keys | Adversaries can replace or generate encryption keys used to encrypt TM/TC in order to gain permanent access to other functionalities. | |
| .002 | Replace / generate new Master Keys | Adversaries can replace the master key used to encrypt TM/TC in order to gain permanent access to other functionalities, or interrupt the owner's control by generating new ones. | |
| T2032 | Key Management Policy Discovery | Adversaries may try to gather information about Key Management Policy implemented. Security Policies are rules and regulations that describe the operational procedures required for proper key management. This includes the specification of rules for processes such as generation, distribution, and allowed use for cryptographic keys. | |
| T2016 | Lateral Movement via common Avionics Bus | This attack is performed against a part of the system via a physical bus shared with a compromised system. Unprotected bus can be used to extend an attack to uncompromised components. In example, if payload has access to main 1553 bus, a hosted payload attack is possible. Fault injection or Adversary-in-the-Middle (AiTM) can be done into the 1553 bus. | |
| T2055 | Loss of spacecraft telecommanding | an attacker can interrupt the communication link between a ground station and a spacecraft by changing the TC channel configuration. | |
| .001 | Replacement of authentication keys | An attacker can replace the authentication keys (e.g SDLS session keys) to disconnect the legitimate ground station and potentially hijack the connection. | |
| T2040 | Masquerading | Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools | |
| T2010 | Modification of On Board Control Procedures modification |
An On-Board Control Procedure (OBCP) is a software program designed to be executed by an OBCP engine, which can be loaded, executed, and also replaced, on-board the spacecraft. An attacker can attempt to modify them to execute her own commands and control the spacecraft. The attacker can attempt to modify OBCP to gain access to the interface of the On-Board Computer (OBC) and interact with it. In New Space mission, and in general missions using CubeSats, Execution can include exploitation of Micropython flaws or vulnerabilities or using Shell commands for various purposes (further reconnaissance, privilege escalation, launching attacks like Denial of Service, take full control of spacecraft, etc.). |
|
| T1106 | Native API | Operating systems like RTEMS provide API to interact with. An attacker can exploit them or abuse a vulnerability/misconfiguration to maliciously execute code or commands. | |
| T2037 | Optical link modification | An adversarial can exfiltrate data modifying the optical communication components to send data with a different timing (and location). | |
| T2004 | Passive Interception (RF/Optical) | An attacker tries to gain knowledge about which communication protocols are used and how, looking for manners to exploit them. This can be executed intercepting, recording, and analyzing the signal to extract as more information as possible on the communication protocols. For example, different protocols can apply SDLS security to a part of the services. Optical link can be used for satellite feeder and intersat links, for some special payloads, or for deep space communications (availability problem caused by clouds should be considered if the receiver is on the Earth). If the downlink signal is sent by a far spacecraft, the beam covers a large ground area on the Earth, and the possible scanning area is extended. Receiving a satellite signal is simple and cheap, various open-source projects exist, e.g., NyanSat. | |
| .001 | Telecommand Protocol Interception | An attacker tries to gain knowledge about the Telecommand implementation, including the authentication and encryption status. | |
| .002 | Telemetry Protocol Interception | An attacker tries to gain knowledge about the Telemetry implementation, including the authentication and encryption status. | |
| .003 | Mission specific Channel Interception | An attacker tries to gain knowledge about a payload dedicated channel communication, peculiar in a specific mission. The channel can be managed by a different company than the owner of the satellite. Interception includes authentication/encryption schemes and medium access control. | |
| .005 | Traffic Analysis | The attacker intends to determine which entities are communicating with each other without the ability to access the communicated information. | |
| T2012 | Payload Exploitation to Execute Commands | If an attacker gains access to payload, he can execute telecommands; in addition, he can propagate the attack exploiting payload activities. | |
| T2027 | Permanent loss to telecommand satellite | An attacker can perform actions that permanently leave the owner without the control on the space resource. The resource can be either under the control of the attacker or not, that can act to gain an illegitimate ownership on the resource, or to damage the legitimate owner. | |
| .001 | Replace session and master keys | Adversaries can replace session and master keys in a space resource, to gain permanent access to the resource and permanently prevent the owner access. This attack leads to a definitive loss of the resource. | |
| T1598 | Phishing for Information | "Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information." . Gathering data from the victim is the final objective. | |
| .001 | Spear Phishing to Ground Segment Operators | The attack can target Ground Segment operators, to gain information useful to target the Ground Segment later. | |
| .002 | Spear Phishing to Industry/Space Agencies | The attack can target Industries or Space Agencies, that are involved in development, and it could result in information leaking, that can be used to target the attack or to produce some specific hardware. In this last case it can even affect supply chain. | |
| T2041 | Pre-Os Boot | Pre-OS Boot can also be abused to evade defensive mechanisms that are potentially in place at higher level, i.e. at application layer. | |
| .001 | System Firmware Exploitation |
Persistence at a pre-OS level can be gained modifying the firmware in a resource. System firmware is quite static, and it doesn't usually provide detections capabilities. A firmware level manipulation can remain unnoticed until next phases of the attack. |
|
| T1542 | Pre-OS Boot | "Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system." Adversaries can obtain it modifying or replacing components before the launch or updating them later if an update capability is implemented. Detection is very difficult, because defenses are usually working at higher levels. | |
| .001 | System Firmware Exploitation |
Persistence at a pre-OS level can be gained modifying the firmware in a resource. System firmware is quite static, and it doesn't usually provide detections capabilities. A firmware level manipulation can remain unnoticed until next phases of the attack. |
|
| T2047 | Protocol Tunnelling |
Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption |
|
| T2028 | Resource damage | An attacker can attempt to damage a space resource, to cause a mission loss. | |
| .004 | Space Debris Impact | A space resource is damaged or destroyed if an impact with space debris happens. Space debris can be produced to harm resources in specific trajectories. | |
| .005 | Physical sabotage | An attacker can physically damage a satellite, with harmful commands or attacking it with another vehicle. Heaters and flow valves of the propulsion subsystem can be moved. Proximity operations with other satellites are possible (kinetic kill vehicles, radiofrequency jammers, lasers, chemical sprayers, high-power microwaves, and robotic mechanisms). Other possible attacks are against critical software subsystems or internal timers. | |
| .007 | Intentional collision with other satellites | Adversaries can command the satellite to collide other satellites. This results not only in the loss of the resource, but also in a damage of another resource. | |
| .009 | Destruction of sensors | An attacker could target and destroy the sensors onboard of a satellite. This may involve damaging optical, infrared, radar, or other sensing equipment critical to the satellite's mission. Destroying sensors can severely impair the satellite’s ability to gather and transmit valuable data, rendering it ineffective or causing mission failure. These sensors are often vital for navigation, Earth observation, and other scientific objectives. | |
| .010 | Destruction of receivers | An attacker may attempt to destroy or disable the receivers on a satellite, which are essential for receiving signals from ground stations, other satellites, or mission-specific communications. Destroying or impairing the receivers may render the satellite unable to communicate or receive essential data, leading to a complete loss of functionality. This could involve targeting radio-frequency receivers, optical receivers, or other communication interfaces critical to the satellite’s operation. | |
| .011 | Breakdown of counterfeit components | A space resource can be damaged if a specific HW component, built to fail after a specific period, or counterfeit with a low reliability, breaks out. Relevant for ASIC and FPGA. | |
| .012 | Kinetic attacks | Attackers can use anti-satellite (ASAT) missiles, or other kinetic energy threats, to attack a resource from the ground or from a plane, without the needs of an orbit insertion. Counterspace weapons are characterized by an easily attribution and the generation of space debris. These systems could include payloads such as kinetic kill vehicles, radiofrequency jammers, lasers, chemical sprayers, high-power microwaves, and robotic mechanisms. This last technology is developed to repair satellites or to remove space debris, but its use can be malicious. A nuclear explosion can also be used against all the space segments. | |
| T1496 | Resource Hijacking | An attacker can hijack resources of the space vehicle using them for different purposes. | |
| T2015 | Retrieve TT&C master/session keys | The attacker gains knowledge of a Session or Master Key. In general, there isn't immediate way to uncover this corruption, until it is used to modify the system's behaviour. In case of a suspicious key corruption, the key replacement shall be executed as soon as possible. | |
| .001 | Compromise of Key Management Facility | An attacker can gain control of the credential-management system and can issue credentials. This is a high risk for CCSDS systems using credentials, with the need to invalidate existing credentials and reissue all credentials. | |
| .002 | Cryptographic Key Corruption | The attacker can gain knowledge of a Session or Master Key corrupting the cryptographic algorithm. | |
| .003 | Interception of Key Management Communication | The attacker can intercept messages that are being transmitted as part of the Key Management Services with the intention either to obtain knowledge of a specific key or to interfere with the Key Management Service. | |
| T2036 | RF modification | An adversarial can exfiltrate data modifying the RF components to send data with a different timing (and location), or with different frequencies. Antenna array can be used to send data into different beams. | |
| T2052 | Saturation of Inter Satellite Links | In a network constellation without an efficient routing protocol, a network attack aiming to flood the network is possible, causing a saturation of an intersatellite link. This kind of attack can be executed by authorized users, intentionally or not (botnet malware on user devices). | |
| .001 | Coremelt attacks | TBD | |
| T2053 | Saturation/Exhaustion of Spacecraft Resources | The attacker can target satellites with energy or resource constraints to lead them prioritizing power saving efforts and disabling security controls. The satellite becomes then more vulnerable to other attacks such as gaining unauthorized access or eavesdropping cleartext communications. This goal can be reached with a regenerative payload "flooding", sending to the satellite more packets than expected to rapidly consume its energy. The exploitation of a payload application can achieve a similar result. The attacker can abuse the satellite bandwidth for the retransmission of own content. | |
| .001 | Receiver flooding | An attacker can try to flood the spacecraft receiver sending great amount of data, valid or not. Since the Ground Station notices the status of the receiver, the power of the transmitter should increase to unlock the receiver from the messages flood, rising the receiver's threshold and cutting out the malicious signal. | |
| .002 | Avionics Bus Flooding | This technique involves overwhelming the avionics bus by injecting an excessive volume of messages, leading to the saturation or exhaustion of communication resources. An attacker can achieve this by gaining control over an ECU (Electronic Control Unit) or microcontroller with access to the bus (e.g., on the CAN bus). This access may be obtained through exploitation of system vulnerabilities or by physically connecting a compromised device to the bus. By flooding the bus with high-priority messages, the attacker can suppress lower-priority communications, causing delays, denial of service, or complete failure of mission-critical operations. | |
| .003 | OBC overloading | TBD | |
| .004 | Drain satellite's power | The attacker can target satellites with energy or resource constraints to lead them prioritizing power saving efforts and disabling security controls. The satellite becomes then more vulnerable to other attacks such as gaining unauthorized access or eavesdropping on cleartext communications. This goal can be reached with a regenerative payload "flooding", sending to the satellite more packets than expected to rapidly consume its energy. The exploitation of a payload application can achieve a similar result. | |
| .005 | Waste of propellant | An attacker can maliciously consume satellite propellant resources to achieve the goal of reducing satellite life. | |
| .006 | RTOS Scheduler Compromise | This involves manipulating the RTOS scheduler to delay or deny the execution of critical tasks, potentially impacting satellite operations like Attitude Determination and Control System (ADCS) or Electrical Power System (EPS) management. | |
| .007 | Hypervisor Scheduling Compromise | A malicious applications compromises the underlying hypervisor's scheduler by delaying or forcing changes in the scheduling. This behavior impacts the behavior of the other applications running in the same context and potentially leads the system to misbehave and break the spatial isolation promise. | |
| T1489 | Service Stop | An attacker can interrupt services, disabling them or taking control over them. | |
| .001 | Ground system loss | The ground facility can be disabled, or an attacker can take control of it, via cyber or physical attack. The loss of the GS can be also caused by environmental factors, uncontrolled or induced (e.g, fire). | |
| .002 | Disabling Payload Service | An attacker can disable the payload, or parts of it, leveraging TC switch on-off commands. In a mission with a direct link for the payload, the latter can be disabled compromising its command channel. | |
| T2035 | Side-channel exfiltration | An adversarial can exfiltrate data with a side-channel attack. | |
| T2049 | Spacecraft Jamming | If the victim uses a free space (over the air) communication, it can be threatened by jamming attacks. An attacker can perform a Denial of Service (DoS) attack to limit or block the service availability through RF jamming. For Proximity-1 jamming becomes difficult, because of high distance from Earth (upload) and the use of commercial frequencies (download jamming would affect a lot of other terrestrial links). Jamming of the ranging signal could lead to the total loss of ranging data, and potential navigation errors. | |
| .001 | Receiver lock on a spurious carrier | The lock of the spacecraft receiver or of the ground station with a continuous wave or with the obtained DSSS sequence can be a threat. Increasing the power is the only way to unlock the receiver, or it unlocks when the spacecraft moves out of LOS with the attacker GS. The attack depends on the receiver and on the system dynamic, that causes the doppler effect and requires a major bandwidth. A possible mitigation is the cryptographic DSSS sequence. | |
| .002 | Optical Jamming (Links/Sensor Blinding) |
An attacker can conduct optical attacks with high power laser beams to target optical sensors or optical links. If the payload uses cameras or other optical sensors to take pictures or measurements, they can be blinded or damaged. |
|
| .003 | SDR buffer overflow | If SDRs or digital signal processing software are used to provide radio functionality, insufficient checks in radio frame processing, coupled with malformed data packets, could lead to buffer overflows, and create denial-of-service conditions. This type of jamming is significantly stealthier as it is triggered by sending a small number of packets and doesn't require a continuous RF jamming signal. | |
| T2034 | Spacecraft's Components Discovery | Adversaries may try to gather information about Components of the Spacecraft, monitoring internal communication, actively communicating with the system, or from internal registries or configurations. | |
| T1195 | Supply Chain Compromise | Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. | |
| .001 | Compromise Software Dependencies and Development Tools |
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency. Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. |
|
| .002 | Compromise Software Supply Chain |
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version. Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. |
|
| .003 | Compromise Hardware Supply Chain | An attacker can replace an hardware component in the supply chain with a custom or counterfeit part, to damage the system or to use it as a future backdoor. An attacker can also induce the intentional use of a not genuine HW component to reduce the system reliability. | |
| T1007 | System Service Discovery |
Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. |
|
| T2019 | Telecommand a Spacecraft |
Command and Control consists of techniques that adversaries may use to communicate with systems under their control. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection . If the attacker has the system under its control, he can interact with it to command it |
|
| .004 | Telecommand within a spacecraft | From inside the spacecraft (after gaining access eg to a payload), an attacker can send telecommand to the on board computer. | |
| .005 | Replay attacks | An attacker can intercept a message (e.g with jamming) stored it , and then replayed it. | |
| .006 | Telecommand capabilties | An attacker can send command with a direct access after obtaining telecommand capabilities ( e.g by hijacking a ground station). | |
| T2026 | Temporary loss to telecommand satellite | An attacker can perform actions that temporarily leave the owner without the control on the space resource. During this period the resource can be either under the control of the attacker or not. | |
| .001 | Replace session keys | Adversaries can replace encryption keys used to encrypt TM/TC in order to gain permanent access to other functionalities, or to temporarily interrupt the owner's control. | |
| T2024 | Transmitted Data Manipulation | An attacker can modify transmitted data, jamming or overpowering the original signal and retransmitting a modified copy to the receiver, to command a spacecraft or to lead the system's owner to erroneous decision. | |
| T2033 | Trust Relationships Discovery | Adversaries may try to gather information about Trust Relationships with other companies or organizations. | |
| T2039 | Trusted Relationship | An attacker can compromise another system which can be used to get access to an interconnected one by exploiting a trusted relationship between the two. In space missions context this can be e.g. in case of Federated missions. | |
| .001 | External Entities interconnected to main mission | An attacker can compromise the system of a contractor company, to steal, modify or damage resources. A scientific or another connected company/research institution can be compromised for the same objective. Connected networks or data exchanges can be leveraged to propagate the attack. | |
| .002 | Federated missions | In federated missions, where multiple organizations collaborate, an attacker can exploit the trust relationships between them. By compromising one component of the federation, the attacker can gain access to other interconnected assets within the mission, potentially leading to the compromise of critical mission functions. | |
| .003 | Interconnected spacecrafts | An attacker cam leverage the interconnection to another spacecraft to compromise it in to order to, in the end, compromise the target | |
| T2048 | TT&C over ISL | If the attacker has already managed to issue Telcommands to a spacecraft, then, if Inter Satellite Links (ISL) are used, he can attempt to issue Telecommands to other spacecrafts over the ISLs. | |
| T2009 | Valid Credentials | Adversaries may obtain and abuse credentials to gain Initial Access or Persistence in a space resource. Compromised credentials may be used to bypass access controls placed on systems within the network and to decrypt communication, to send authenticate messages and to take control of the spacecraft. Gained credentials may even be used for persistent access to the resource. | |
| .001 | Steal cryptographic keys | Adversaries may obtain and abuse master or session keys to gain Initial Access or Persistence. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to communication channels. | |
| .002 | Forge Digital Certificates | If an attacker gains control of the credential-management system and issues credentials, he can access the system and maintain a persistent control on it. There is a need to invalidate existing credentials and reissue all credentials. CCSDS recommends two forms of credentials: X.509 certificates and protected simple authentication. The authenticity of an X.509 certificate is dependent upon the digital signature of the CA attesting to the credential. If the digital signature algorithm used by the CA is of insufficient cryptographic strength, a credential may be spoofed. | |
| .003 | Brute force attack against TC channel or mission channel | An attacker can use brute force to gain access to a TC channel, to force encryption or to guess the valid commands. | |