| RD-0001 |
Acquire Infrastructure |
Adversaries assemble the people, platforms, and plumbing they will later use to observe, reach, or impersonate mission components. Infrastructure spans RF and optical ground assets (antennas, modems, timing sources, front-ends), compute and storage (on-prem and cloud), network presence (leased ASNs/IP space, VPS fleets, CDN relays), identity fabric (burner accounts, domains, certificates), and fabrication/test environments for hardware and software. They favor assets that are inexpensive, deniable, and geographically diverse, mixing self-hosted gear with commercial services and compromised third-party systems. To support spacecraft operations, they may build SDR-based labs that replicate waveforms and framing, stage command/telemetry tooling behind traffic mixers, and pre-position data pipelines for collection and analysis. The objective is persistence and flexibility: the ability to pivot between reconnaissance, delivery, and command with minimal attribution risk. |
|
RD-0001.03 |
Spacecraft |
A well-resourced actor may field their own spacecraft or hosted payload to gain proximity, visibility, or RF leverage. Small satellites can be launched into nearby planes or phasing orbits to observe emissions, perform spectrum measurements, or test spoofing and denial techniques at short range. Hosted payloads on commercial buses provide co-location without full spacecraft development. Proximity also enables on-orbit relay, crosslink probing, or attempts to exploit weak segmentation between payload and bus on rideshares. Regulatory and tracking regimes complicate overt misuse, but shell companies, benign-seeming mission declarations, or flags of convenience can mask intent. |
| RD-0002 |
Compromise Infrastructure |
Rather than purchasing or renting assets, adversaries compromise existing infrastructure, mission-owned, third-party, or shared, to obtain ready-made reach into space, ground, or cloud environments with the benefit of plausible attribution. Targets range from physical RF chains and timing sources to mission control servers, automation/scheduling systems, SLE/CSP gateways, identity providers, and cloud data paths. Initial access often comes via stolen credentials, spear-phishing of operators and vendors, exposed remote-support paths, misconfigured multi-tenant platforms, or lateral movement from enterprise IT into operations enclaves. Once resident, actors can pre-position tools, modify configurations, suppress logging, and impersonate legitimate stations or operators to support later Execution, Exfiltration, or Denial. |
|
RD-0002.03 |
3rd-Party Spacecraft |
By compromising another operator’s spacecraft, or a hosted payload, an adversary can gain proximity, sensing, and relay capabilities that are costly to build from scratch and difficult to attribute. With control of an on-orbit asset, the actor may conduct local spectrum measurement and traffic analysis, attempt selective interference or spoofing at short range, or probe crosslinks and gateways where payload networks bridge to buses. In rideshare or hosted-payload contexts, weak segmentation and shared ground paths can provide insight into neighboring missions. More aggressive scenarios include remote proximity operations (RPO) to achieve advantageous geometry; however, physical grappling, docking, or exposure of debug/test interfaces is highly specialized and rare, with significant safety, legal, and tracking implications. Realistic attacker goals emphasize adjacency for RF leverage, covert relay, or data theft rather than mechanical capture. |
| RD-0005 |
Obtain Non-Cyber Capabilities |
Adversaries may pursue non-cyber counterspace means to create access, leverage, or effects that complement cyber operations. These capabilities span kinetic physical (e.g., direct-ascent or co-orbital interceptors and attacks on ground segments), non-kinetic physical (e.g., lasers, high-power microwave/EMP), and electronic warfare (jamming and spoofing). Each class differs in required resources, detectability, attribution, and the permanence of effects, from reversible interference to irreversible destruction. A pragmatic actor mixes methods: electronic attack to mask or distract, directed energy to blind sensors or upset electronics, and, at the top end, kinetic capabilities to hold assets at risk. Resource development may involve acquisition, partnering, or covert access to such systems; rehearsals are often framed as testing or calibration. |
|
RD-0005.01 |
Launch Services |
Rather than “owning a pad,” a realistic path is purchasing launch services (rideshare, hosted payload) to place inspection or relay assets where they confer RF, optical, or proximity advantage. Launch providers deliver integration, testing, and scheduling; an actor can use benign mission covers to field small satellites that measure local spectrum, perform on-orbit characterization of target emissions, or support later rendezvous and proximity operations. The resource being developed is access to vantage points, not just spaceflight hardware. |
|
RD-0005.02 |
Non-Kinetic Physical ASAT |
Non-kinetic physical ASATs damage or degrade without contact, typically via directed energy or intense electromagnetic effects. Ground- or space-based lasers can dazzle or blind optical sensors; high-power microwave or related electromagnetic systems can disrupt or permanently damage susceptible electronics; some concepts aim to generate broader electromagnetic effects. These attacks propagate at light speed, can be tuned for reversible or lasting impact, and may leave limited forensic residue, complicating verification and attribution. Actors who obtain or partner for such systems can pair them with cyber operations (e.g., blind a star tracker while injecting misleading commands) to amplify effect. |
|
RD-0005.03 |
Kinetic Physical ASAT |
Kinetic capabilities physically strike space or ground elements. In space, direct-ascent systems launch from Earth to intercept a satellite on orbit; co-orbital systems maneuver in space to approach and impact a target. On the ground, kinetic attacks can target stations or support infrastructure. These actions are generally easier to detect and attribute and often produce persistent, hazardous debris in orbit, especially at higher altitudes, making them strategically escalatory. Actors developing or accessing such capabilities gain credible coercive power but at significant political and operational cost. |
|
RD-0005.04 |
Electronic ASAT |
Electronic ASAT attacks target the communications lifelines of space systems rather than their structures: jamming raises the noise floor to deny service; spoofing crafts believable but false signals (navigation, timing, or control). These effects are usually transient and can be difficult to attribute quickly, yet they are operationally useful and comparatively inexpensive. Actors may obtain portable or fixed jammers, high-gain antennas with agile waveforms, and specialized signal-processing toolchains; from orbit, a nearby asset can deliver highly selective interference. |
| IA-0005 |
Rendezvous & Proximity Operations |
Adversaries may execute a sequence of orbital maneuvers to co-orbit and approach a target closely enough for local sensing, signaling, or physical interaction. Proximity yields advantages that are difficult to achieve from Earth: high signal-to-noise for interception, narrowly targeted interference or spoofing, observation of attitude/thermal behavior, and, if interfaces exist, opportunities for mechanical mating. The approach typically unfolds through phasing, far-field rendezvous, relative navigation (e.g., vision, lidar, crosslink cues), and closed-loop final approach. At close distances, an attacker can monitor side channels, stimulate acquisition beacons, test crosslinks, or prepare for contact operations (capture or docking). |
|
IA-0005.02 |
Docked Vehicle / OSAM |
Docking, berthing, or service capture during on-orbit servicing, assembly, and manufacturing (OSAM) creates a high-trust bridge between vehicles. Threat actors exploit this moment, either by pre-positioning code on a servicing vehicle or by manipulating ground updates to it, so that, once docked, lateral movement occurs across the mechanical/electrical interface. Interfaces may expose power and data umbilicals, standardized payload ports, or gateways into the target’s C&DH or payload networks (e.g., SpaceWire, Ethernet, 1553). Service tools that push firmware, load tables, transfer files, or share time/ephemeris become conduits for staged procedures or implants that execute under maintenance authority. Malware can be timed to activation triggers such as “link up,” “maintenance mode entered,” or specific device enumerations that only appear when docked. Because OSAM operations are scheduled and well-documented, the adversary can align preparation with published timelines, ensuring that the first point of execution coincides with the brief window when cross-vehicle trust is intentionally elevated. |
|
IA-0005.03 |
Proximity Grappling |
In this variant, the attacker employs a capture mechanism (robotic arm, grappling fixture, magnetic or mechanical coupler) to establish physical contact without full docking. Once grappled, covers can be manipulated, temporary umbilicals attached, or exposed test points engaged; if design provisions exist (service ports, checkout connectors, external debug pads), these become direct pathways to device programming interfaces (e.g., JTAG/SWD/UART), mass-storage access, or maintenance command sets. Grappling also enables precise attitude control relative to the target, allowing contact-based sensors to read buses inductively or capacitively, or to inject signals onto harness segments reachable from the exterior. Initial access arises when a maintenance or debug path, normally latent in flight, is electrically or logically completed by the grappled connection, allowing authentication-bypassing actions such as boot-mode strapping, image replacement, or scripted command ingress. The operation demands accurate geometry, approach constraints, and fixture knowledge, but yields a transient, high-privilege bridge tailored for short, decisive actions that leave minimal on-orbit RF signature. |
| IA-0008 |
Rogue External Entity |
Adversaries obtain a foothold by interacting with the spacecraft from platforms outside the authorized ground architecture. A “rogue external entity” is any actor-controlled transmitter or node, ground, maritime, airborne, or space-based, that can radiate or exchange traffic using mission-compatible waveforms, framing, or crosslink protocols. The technique exploits the fact that many vehicles must remain commandable and discoverable over wide areas and across multiple modalities. Using public ephemerides, pass predictions, and knowledge of acquisition procedures, the actor times transmissions to line-of-sight windows, handovers, or maintenance periods. Initial access stems from presenting traffic that the spacecraft will parse or prioritize: syntactically valid telecommands, crafted ranging/acquisition exchanges, crosslink service advertisements, or payload/user-channel messages that bridge into the command/data path. |
|
IA-0008.02 |
Rogue Spacecraft |
Adversaries may employ their own satellite or hosted payload to achieve proximity and a privileged RF geometry. After phasing into the appropriate plane or drift orbit, the rogue vehicle operates as a local peer: emitting narrow-beam or crosslink-compatible signals, relaying user-channel traffic that the target will honor, or advertising services that appear to originate from a trusted neighbor. Close range reduces path loss and allows highly selective interactions, e.g., targeted spoofing of acquisition exchanges, presentation of crafted routing/time distribution messages, or injection of payload tasking that rides established inter-satellite protocols. The rogue platform can also perform spectrum and protocol reconnaissance in situ, refining message formats and timing before attempting first execution. |
|
IA-0008.03 |
ASAT/Counterspace Weapon |
Adversaries leverage counterspace platforms to create conditions under which initial execution becomes possible or to impose effects directly. Electronic warfare systems can jam or spoof links so that the target shifts to contingency channels or accepts crafted navigation/control signals; directed-energy systems can dazzle sensors or upset electronics, shaping mode transitions and autonomy responses; kinetic or contact-capable systems can enable mechanical interaction that exposes maintenance or debug paths. In each case, the counterspace asset is an external actor-controlled node that interacts with the spacecraft outside authorized ground pathways. Initial access may be the immediate result of accepted spoofed traffic, or it may be secondary, arising when the target enters states with broader command acceptance, alternative receivers, or service interfaces that the adversary can then exploit. |
| EX-0016 |
Jamming |
Jamming is an electronic attack that uses radio frequency signals to interfere with communications. A jammer must operate in the same frequency band and within the field of view of the antenna it is targeting. Unlike physical attacks, jamming is completely reversible, once the jammer is disengaged, communications can be restored. Attribution of jamming can be tough because the source can be small and highly mobile, and users operating on the wrong frequency or pointed at the wrong satellite can jam friendly communications.* Similiar to intentional jamming, accidential jamming can cause temporary signal degradation. Accidental jamming refers to unintentional interference with communication signals, and it can potentially impact spacecraft in various ways, depending on the severity, frequency, and duration of the interference.
*https://aerospace.csis.org/aerospace101/counterspace-weapons-101 |
|
EX-0016.01 |
Uplink Jamming |
The attacker transmits toward the spacecraft’s uplink receive antenna, within its main lobe or significant sidelobes, at the operating frequency and sufficient power spectral density to drive the uplink Eb/N₀ below the demodulator’s threshold. Uplink jamming prevents acceptance of telecommands and ranging/acquisition traffic, delaying or blocking scheduled operations. Because the receiver resides on the spacecraft, the jammer must be located within the spacecraft’s receive footprint and match its polarization and Doppler conditions well enough to couple energy into the front end. |
|
EX-0016.02 |
Downlink Jamming |
Downlink jammers target the users of a satellite by creating noise in the same frequency as the downlink signal from the satellite. A downlink jammer only needs to be as powerful as the signal being received on the ground and must be within the field of view of the receiving terminal’s antenna. This limits the number of users that can be affected by a single jammer. Since many ground terminals use directional antennas pointed at the sky, a downlink jammer typically needs to be located above the terminal it is attempting to jam. This limitation can be overcome by employing a downlink jammer on an air or space-based platform, which positions the jammer between the terminal and the satellite. This also allows the jammer to cover a wider area and potentially affect more users. Ground terminals with omnidirectional antennas, such as many GPS receivers, have a wider field of view and thus are more susceptible to downlink jamming from different angles on the ground.*
*https://aerospace.csis.org/aerospace101/counterspace-weapons-101 |
| EX-0017 |
Kinetic Physical Attack |
The adversary inflicts damage by physically striking space assets or their supporting elements, producing irreversible effects that are generally visible to space situational awareness. Kinetic attacks in orbit are commonly grouped into direct-ascent engagements, launched from Earth to intercept a target on a specific pass, and co-orbital engagements, in which an on-orbit vehicle maneuvers to collide with or detonate near the target. Outcomes include structural breakup, loss of attitude control, sensor or antenna destruction, and wholesale mission termination; secondary effects include debris creation whose persistence depends on altitude and geometry. Because launches and on-orbit collisions are measurable, these actions tend to be more attributable and offer near–real-time confirmation of effect compared to non-kinetic methods. |
|
EX-0017.01 |
Direct Ascent ASAT |
A direct-ascent ASAT is often the most commonly thought of threat to space assets. It typically involves a medium- or long-range missile launching from the Earth to damage or destroy a satellite in orbit. This form of attack is often easily attributed due to the missile launch which can be easily detected. Due to the physical nature of the attacks, they are irreversible and provide the attacker with near real-time confirmation of success. Direct-ascent ASATs create orbital debris which can be harmful to other objects in orbit. Lower altitudes allow for more debris to burn up in the atmosphere, while attacks at higher altitudes result in more debris remaining in orbit, potentially damaging other spacecraft in orbit.*
*https://aerospace.csis.org/aerospace101/counterspace-weapons-101 |
|
EX-0017.02 |
Co-Orbital ASAT |
A co-orbital ASAT uses a spacecraft already in space to conduct a deliberate collision or near-field detonation. After insertion, often well before any hostile action, the vehicle performs rendezvous and proximity operations to achieve the desired relative geometry, then closes to impact or triggers a kinetic or explosive device. Guidance relies on relative navigation (optical, lidar, crosslink cues) and precise timing to manage closing speeds and contact angle. Compared with direct-ascent shots, co-orbital approaches can loiter, shadow, or “stalk” a target for extended periods, masking as inspection or servicing until the terminal maneuver. Effects include mechanical disruption, fragmentation, or mission-ending damage, with debris characteristics shaped by the chosen altitude, closing velocity, and collision geometry. |
| EX-0018 |
Non-Kinetic Physical Attack |
The adversary inflicts physical effects on a satellite without mechanical contact, using energy delivered through the environment. Principal modalities are electromagnetic pulse (EMP), high-power laser (optical/thermal effects), and high-power microwave (HPM). These methods can be tuned for reversible disruption (temporary sensor saturation, processor upsets) or irreversible damage (component burnout, optics degradation), and may be executed from ground, airborne, or space platforms given line-of-sight and power/aperture conditions. Forensics are often ambiguous: signatures may resemble environmental phenomena or normal degradations, and confirmation of effect is frequently limited to what the operator observes in telemetry or performance loss. |
|
EX-0018.01 |
Electromagnetic Pulse (EMP) |
An EMP delivers a broadband, high-amplitude electromagnetic transient that couples into spacecraft electronics and harnesses, upsetting or damaging components over wide areas. In space, the archetype is a high-altitude nuclear event whose prompt fields induce immediate upsets and whose secondary radiation environment elevates dose and charging for an extended period along affected orbits. Consequences include widespread single-event effects, latch-ups, permanent degradation of sensitive devices, and accelerated aging of solar arrays and materials. The effect envelope is large and largely indiscriminate: multiple satellites within view can experience simultaneous anomalies consistent with intense electromagnetic stress and enhanced radiation. |
|
EX-0018.02 |
High-Powered Laser |
A high-powered laser can be used to permanently or temporarily damage critical satellite components (i.e. solar arrays or optical centers). If directed toward a satellite’s optical center, the attack is known as blinding or dazzling. Blinding, as the name suggests, causes permanent damage to the optics of a satellite. Dazzling causes temporary loss of sight for the satellite. While there is clear attribution of the location of the laser at the time of the attack, the lasers used in these attacks may be mobile, which can make attribution to a specific actor more difficult because the attacker does not have to be in their own nation, or even continent, to conduct such an attack. Only the satellite operator will know if the attack is successful, meaning the attacker has limited confirmation of success, as an attacked nation may not choose to announce that their satellite has been attacked or left vulnerable for strategic reasons. A high-powered laser attack can also leave the targeted satellite disabled and uncontrollable, which could lead to collateral damage if the satellite begins to drift. A higher-powered laser may permanently damage a satellite by overheating its parts. The parts most susceptible to this are satellite structures, thermal control panels, and solar panels.*
*https://aerospace.csis.org/aerospace101/counterspace-weapons-101 |
|
EX-0018.03 |
High-Powered Microwave |
High-powered microwave (HPM) weapons can be used to disrupt or destroy a satellite’s electronics. A “front-door” HPM attack uses a satellite’s own antennas as an entry path, while a “back-door” attack attempts to enter through small seams or gaps around electrical connections and shielding. A front-door attack is more straightforward to carry out, provided the HPM is positioned within the field of view of the antenna that it is using as a pathway, but it can be thwarted if the satellite uses circuits designed to detect and block surges of energy entering through the antenna. In contrast, a back-door attack is more challenging, because it must exploit design or manufacturing flaws, but it can be conducted from many angles relative to the satellite. Both types of attacks can be either reversible or irreversible; however, the attacker may not be able to control the severity of the damage from the attack. Both front-door and back-door HPM attacks can be difficult to attribute to an attacker, and like a laser weapon, the attacker may not know if the attack has been successful. A HPM attack may leave the target satellite disabled and uncontrollable which can cause it to drift into other satellites, creating further collateral damage.*
*https://aerospace.csis.org/aerospace101/counterspace-weapons-101 |
| DE-0002 |
Disrupt or Deceive Downlink |
Threat actors may target ground-side telemetry reception, processing, or display to disrupt the operator’s visibility into spacecraft health and activity. This may involve denial-based attacks that prevent the spacecraft from transmitting telemetry to the ground (e.g., disabling telemetry links or crashing telemetry software), or more subtle deception-based attacks that manipulate telemetry content to conceal unauthorized actions. Since telemetry is the primary method ground controllers rely on to monitor spacecraft status, any disruption or manipulation can delay or prevent detection of malicious activity, suppress automated or manual mitigations, or degrade trust in telemetry-based decision support systems. |
|
DE-0002.02 |
Jam Link Signal |
Threat actors may overwhelm/jam the downlink signal to prevent transmitted telemetry signals from reaching their destination without severe modification/interference, effectively leaving ground controllers unaware of vehicle activity during this time. Telemetry is the only method in which ground controllers can monitor the health and stability of the spacecraft while in orbit. By disabling this downlink, threat actors may be able to stop mitigations from taking place. |
| DE-0009 |
Camouflage, Concealment, and Decoys (CCD) |
The adversary exploits the physical and operational environment to reduce detectability or to mislead observers. Tactics include signature management (minimizing RF/optical/thermal/RCS), controlled emissions timing, deliberate power-down/dormancy, geometry choices that hide within clutter or eclipse, and the deployment of decoys that generate convincing tracks. CCD can also leverage naturally noisy conditions, debris-rich regions, auroral radio noise, solar storms, to mask proximity operations or to provide plausible alternate explanations for anomalies. The unifying theme is environmental manipulation: shape what external sensors perceive so surveillance and attribution lag, misclassify, or look elsewhere. |
|
DE-0009.01 |
Debris Field |
The attacker co-orbits within or near clusters of small objects, matching apparent characteristics (brightness, RCS, tumbling, intermittent emissions) so the vehicle blends with background debris. Dormant periods with minimized attitude control and emissions further the illusion. This posture supports covert inspection, staging for a later intercept, or timing cyber-physical actions (e.g., propulsion or actuator manipulation) to coincide with passages through clutter, increasing the chance that damage or anomalies are attributed to debris strikes rather than deliberate activity. Maintenance of the disguise may involve small, infrequent maneuvers to keep relative motion consistent with “free” debris dynamics. |
|
DE-0009.03 |
Trigger Premature Intercept |
Decoys and deceptive signatures are used to provoke defenders into committing limited resources early, inspection vehicles, interceptors, laser dwell time, maneuver fuel, or analyst attention. The attacker deploys objects or emissions that mimic credible threats (trajectories, RCS/brightness, modulation) so tracking and discrimination systems prioritize the decoy. While defenses engage, the true operation proceeds with reduced scrutiny, or follows shortly after when defensive capacity and timelines are depleted. The effect is resource exhaustion and timeline compression on the defender’s side, increasing the success window for the actual action. |
|
DE-0009.04 |
Targeted Deception of Onboard SSA/SDA Sensors |
The attacker aims at the spacecraft’s own proximity-awareness stack, cameras, star-tracker side products, lidar/radar, RF transponders, and the onboard fusion that estimates nearby objects. Methods include optical dazzling or reflective camouflage that confuses centroiding and detection, RCS management to fall below radar gate thresholds, intermittent or misleading transponder replies, and presentation of spoofed fiducials or optical patterns tuned to the vehicle’s detection algorithms. By biasing these local sensors and their fusion logic, the adversary hides approach, distorts relative-state estimates, or induces the target to classify a nearby object as benign clutter, masking proximity operations without relying on external catalog errors. |