| REC-0005 |
Eavesdropping |
Adversaries seek to passively (and sometimes semi-passively) capture mission communications across terrestrial networks and RF/optical links to reconstruct protocols, extract telemetry, and derive operational rhythms. On networks, packet captures, logs, and flow data from ground stations, mission control, and cloud backends can expose service boundaries, authentication patterns, and automation. In the RF domain, wideband recordings, spectrograms, and demodulation of TT&C and payload links, spanning VHF/UHF through S/L/X/Ka and, increasingly, optical, enable identification of modulation/coding, framing, and beacon structures. Even when links are encrypted, metadata such as carrier plans, symbol rates, polarization, and cadence can support traffic analysis, timing attacks, or selective interference. Community capture networks and open repositories amplify the reach of a modest adversary. |
|
.01 |
Uplink Intercept Eavesdropping |
Uplink reconnaissance focuses on capturing the command path from ground to spacecraft to learn telecommand framing, authentication fields, timing, and anti-replay behavior. Valuable artifacts include emission designators, symbol rates, polarization sense, Doppler profiles, and any preambles or ranging tones that gate command acceptance. Even if payload and TT&C share spectrum, their authentication postures often differ, knowledge an adversary can exploit. Partial captures, console screenshots, or training recordings reduce the effort needed to build an SDR pipeline that “looks right” on the air. Where missions authenticate without encrypting the uplink, traffic analysis can reveal command cadence and maintenance windows. |
|
.02 |
Downlink Intercept |
Downlink collection aims to harvest housekeeping telemetry, event logs, ephemerides, payload data, and operator annotations that reveal system state and procedures. Even when payload content is encrypted, ancillary channels (beacons, health/status, low-rate engineering downlink) can disclose mode transitions, battery and thermal margins, safing events, and next-pass predictions. Community ground networks and public dashboards may inadvertently provide stitched datasets that make trend analysis trivial. Captured framing and coding parameters also help an adversary build testbeds and refine timing for later actions. |
|
.03 |
Proximity Operations |
In proximity scenarios, an adversary platform (or co-located payload) attempts to observe emissions and intra-vehicle traffic at close range, RF side-channels, optical/lasercom leakage, and, in extreme cases, electromagnetic emanations consistent with TEMPEST/EMSEC concerns. Physical proximity can expose harmonics, intermodulation products, local oscillators, and bus activity that are undetectable from the ground, enabling reconstruction of timing, command acceptance windows, or even limited protocol content. In hosted-payload or rideshare contexts, a poorly segregated data path may permit passive observation of TT&C gateways, crosslinks, or payload buses. |
| REC-0007 |
Monitor for Safe-Mode Indicators |
Adversaries watch for telltale signs that the spacecraft has entered a safed or survival configuration, typically sun-pointing or torque-limited attitude, reduced payload activity, conservative power/thermal setpoints, and low-rate engineering downlink. Indicators include specific mode bits or beacon fields, changes in modulation/coding and cadence, distinctive event packets (e.g., wheel unload aborts, brownout recovery), elevated heater duty, altered load-shed states, and operator behaviors such as emergency DSN requests, longer ground passes, or public anomaly notices. This reconnaissance helps time later actions to coincide with periods of reduced bandwidth, altered monitoring, or maintenance command availability. It may also reveal how safing affects authentication (e.g., whether rapid-response paths or recovery consoles differ from nominal). |
| EX-0001 |
Replay |
Replay is the re-transmission of previously captured traffic, over RF links, crosslinks, or internal buses, to elicit the same processing and effects a second time. Adversaries first observe and record authentic exchanges (telecommands, ranging/acquisition frames, housekeeping telemetry acknowledgments, bus messages), then resend them within acceptance conditions that the system recognizes, matching link geometry, timetags, counters, or mode states. The aim can be functional (re-triggering an action such as a mode change), observational (fingerprinting how the vehicle reacts at different states), or disruptive (saturating queues and bandwidth to crowd out legitimate traffic). Because replays preserve valid syntax and often valid context, they can blend with normal operations, especially during periods with reduced monitoring or when counters and windows reset (e.g., handovers, safing entries). On encrypted links, metadata replays (acquisition beacons, schedule requests) may still yield informative responses. |
|
.01 |
Command Packets |
Threat actors may resend authentic-looking telecommands that were previously accepted by the spacecraft. Captures may include whole command PDUs with framing, CRC/MAC, counters, and timetags intact, or they may be reconstructed from operator tooling and procedure logs. When timing, counters, and mode preconditions align, the replayed packet can cause the same effect: toggling relays, initiating safing or recovery scripts, adjusting tables, commanding momentum dumps, or scheduling delta-v events. Even when outright execution fails, repeated “near-miss” injections can map acceptance windows, rate/size limits, and interlocks by observing the spacecraft’s acknowledgments and state changes. At scale, streams of valid-but-stale commands can congest command queues, delay legitimate activity, or trigger nuisance FDIR responses. |
| EXF-0002 |
Side-Channel Exfiltration |
Information is extracted not by reading files or decrypting frames but by observing physical or protocol byproducts of computation, power draw, electromagnetic emissions, timing, thermal signatures, or traffic patterns. Repeated measurements create distinctive fingerprints correlated with internal states (key use, table loads, parser branches, buffer occupancy). Matching those fingerprints to models or templates yields sensitive facts without direct access to the protected data. In space systems, vantage points span proximity assets (for EM/thermal), ground testing and ATLO (for direct probing), compromised on-board modules that can sample rails or sensors, and remote observation of link-layer timing behaviors. |
|
.03 |
Traffic Analysis Attacks |
In a terrestrial environment, threat actors use traffic analysis attacks to analyze traffic flow to gather topological information. This traffic flow can divulge information about critical nodes, such as the aggregator node in a sensor network. In the space environment, specifically with relays and constellations, traffic analysis can be used to understand the energy capacity of spacecraft node and the fact that the transceiver component of a spacecraft node consumes the most power. The spacecraft nodes in a constellation network limit the use of the transceiver to transmit or receive information either at a regulated time interval or only when an event has been detected. This generally results in an architecture comprising some aggregator spacecraft nodes within a constellation network. These spacecraft aggregator nodes are the sensor nodes whose primary purpose is to relay transmissions from nodes toward the ground station in an efficient manner, instead of monitoring events like a normal node. The added functionality of acting as a hub for information gathering and preprocessing before relaying makes aggregator nodes an attractive target to side channel attacks. A possible side channel attack could be as simple as monitoring the occurrences and duration of computing activities at an aggregator node. If a node is frequently in active states (instead of idle states), there is high probability that the node is an aggregator node and also there is a high probability that the communication with the node is valid. Such leakage of information is highly undesirable because the leaked information could be strategically used by threat actors in the accumulation phase of an attack. |
| EXF-0003 |
Signal Interception |
The adversary captures mission traffic in transit, on ground networks or over the space link, so that payload products, housekeeping, and command/ack exchanges can be reconstructed offline. Vantage points include tapped ground LANs/WANs between MOC and stations, baseband interfaces (IF/IQ), RF/optical receptions within the antenna field of view, and crosslink monitors. Depending on protection, the haul ranges from plaintext frames to encrypted bitstreams whose headers, rates, and schedules still yield valuable context (APIDs, VCIDs, pass timing, file manifest cues). Intercepted sessions can guide later replay, cloning, or targeted downlink requests. |
|
.01 |
Uplink Exfiltration |
Here the target is command traffic from ground to space. By receiving or tapping the uplink path, the adversary collects telecommand frames, ranging/acquisition exchanges, and any file or table uploads. If confidentiality is weak or absent, opcode/argument content, dictionaries, and procedures become directly readable; even when encrypted, session structure, counters, and acceptance timing inform future command-link intrusion or replay. Captured material can reveal maintenance windows, contingency dictionaries, and authentication schemes that enable subsequent exploitation. |
|
.02 |
Downlink Exfiltration |
The attacker records spacecraft-to-ground traffic, real-time telemetry, recorder playbacks, payload products, and mirrored command sessions, to obtain mission data and health/state information. With sufficient signal quality and protocol knowledge, frames and packets are demodulated and extracted for offline use; where protection exists only on uplink or is inconsistently applied, downlink content may still be in clear. Downlinked command echoes, event logs, and file catalogs can expose internal activities and aid follow-on targeting while the primary objective remains data capture at scale. |
| EXF-0004 |
Out-of-Band Communications Link |
Some missions field secondary links, separate frequencies and hardware, for limited, purpose-built functions (e.g., rekeying, emergency commanding, beacons, custodial crosslinks). Adversaries co-opt these channels as covert data paths: embedding content in maintenance messages, beacon fields, or low-rate housekeeping; initiating vendor/service modes that carry file fragments; or switching to contingency profiles that bypass normal routing and monitoring. Because these paths are distinct from the main TT&C and may be sparsely supervised, they provide discreet avenues to move data off the spacecraft or to external relays without altering the primary link’s traffic patterns. |
| EXF-0005 |
Proximity Operations |
A nearby vehicle serves as the collection platform for unintended emissions and other proximate signals, effectively a mobile TEMPEST/EMSEC sensor. From close range, the adversary measures near-field RF, conducted/structure-borne emissions, optical/IR signatures, or leaked crosslink traffic correlated with on-board activity, then decodes or models those signals to recover information (keys, tables, procedure execution, payload content). Proximity also enables directional gain and repeated sampling passes, turning weak side channels into usable exfiltration without engaging the victim’s logical interfaces. |