Indicators of Behavior

SPARTA

Unauthorized and Anomalous Command Execution in Spacecraft Operations

Hardware Command Executed Outside Authorized Schedule

Unauthorized Hardware Command-Induced Configuration Change

Legitimate Command with Malicious Parameters Targeting Subsystems

Unexpected Legitimate Command Sent

Unexpected counter increment (valid or invalid count)

Unauthorized Commands Issued from Unrecognized Ground Station

Duplicate Command Packet Executions

Anomalous Command Packet Signatures

Valid Command Flooding

Logs of Processed Commands Flooding

Unauthorized Command Execution via Flight Software

Anomalous Command or Sequence in Safe-Mode

Unexpected Command Execution During Safe-Mode

Safe-Mode Exit Command Executed at Unexpected Time

Command from Untrusted Ground Station or Location in Safe-Mode

Irregular Orbit Maneuver Commands Detected on Attitude Control

Abnormal Burn Duration Detected in Propulsion Subsystem

Suspicious Burn Sequence Executed Outside Planned Timeline

Unexpected Thrust Direction Detected in Propulsion Subsystem

Repeated Downlink Commands with Identical Timestamps

Repeated Downlink Commands Sent Outside Authorized Time

Multiple Consecutive Burn Commands Exceeding Duration Limits

Unusual Commands from Subsystem Acting as Bus Controller (1553)

Unauthorized CLTU-START, STOP, or UNBIND Initiation from Unauthorized User or Rogue IP

Telecommand Format Tampering in CLTU-TRANSFER_DATA

Unauthorized Crosslink Command at Unexpected Time

Unauthorized Cryptographic Key Usage and Encryption Bypass

Repeated Use of Cryptographic Keys from Unusual Locations

Use of Old or Rotated Cryptographic Keys for Authentication

Unexpected Access to Cryptographic Keys

Unexpected Changes to Encryption Configuration Settings

Unexpected SPI Value Triggering Segmentation Fault

Abnormal Security Association (SA) Pointer Retrieval

Modification of Encryption Algorithms

Payload Channel Operating Without Encryption

Failed Credential Encryption in SLE Protocol

Crosslink Channel Operating Without Encryption

Use of Account or Cryptographic Keys at Unexpected Times

Communication Security and Network Exploitation

Unexpected Ground Station IP Address in Communication

ARP Spoofing Attack (Rogue IP)

Backup Channel Activity Outside Scheduled Time Windows

Unexpected Data Transfer Over Backup Channel While Primary Active

Traffic Volume Spike on Backup Channel

Unexpected Communication Protocols in Uplink

Use of Unexpected Protocol on Backup Channel

Denial of Service Due to Saturated Bandwidth Detected

Unexpected Downlink Traffic Dropped or Disrupted

Transmission to Unauthorized Ground Station Detected

Data Exfiltration Detected During Scheduled Communication Windows

Generic Flooding Attack

Erroneous Input Flooding

Unusual Data Transmission Between SpaceWire Routing Switches

Unexpected Communication Between Subsystems

Suspicious Network Traffic Without Expected Encryption

Creation of FIFO for Data Exfiltration or Command Injection

Process Execution Tied to Specific Geographic Coordinates

Unexpected High-Priority Messages on the CAN Bus

Unauthorized Downlink Communication at Unexpected Time

Unauthorized Data Transmission from Ground System to External IP

Traffic Volume Spike on Out-of-Band Link

Sudden Increase in Bandwidth Usage from Ground System

ARP Spoofing via MAC Address Mismatch

CAN Bus Error Frames Detected Across Multiple Nodes

Frequent CAN Arbitration Loss by Critical Subsystems

Unexpected Communication Between SpaceWire Nodes

Detection of CANBus Replay Attack with Duplicate Message ID and Timing Anomalies

Replay of Legitimate CANBus Message with Known Message ID

Unauthorized Device Acting as Bus Controller (1553)

Specially Crafted CAN Messages Sent to Critical Subsystems

Repeated CAN Message Spoofing Detected Between Subsystems

Unusual Communication Between Payload and Critical Subsystems

Unusual Data Transmission from Remote Terminal to Subsystem. (1553)

Traffic Volume Spike on Payload Channel

Payload Channel Activity Outside Scheduled Time Windows

Out-of-Band Activity Outside Scheduled Time Windows

Use of Unexpected Protocol on Out-of-Band Link

Unauthorized Frequency Usage on Out-of-Band Link

Unplanned Deactivation of Downlink Transmitter

High Latency Detected in Downlink Communication

Multiple Failed Downlink Attempts from Spacecraft

Anomalous Increase in Crosslink Traffic Volume

Communication to Unauthorized Neighboring Spacecraft

Unauthorized Signal Transmission to Secondary Receiver

Authentication and RF Signal Integrity Threats

Authentication Process Tampering

Anomalous Authentication Attempts

Invalid RF Command Lock

Unexpected Latency in Command Packet Processing

Failed Authentication Attempts Due to RF/EMI Interference

Abnormal Signal Strength

Noise Injection Detected in Communication Channels

Unauthorized Frequency Usage on Backup Channel

Safe-Mode Activation Due to Signal Jamming

CLTU BIND Authentication Failure

Authorized SLE Session Establishment by Attacker (Rogue IP)

Rejection of CLTU BIND Due to Tampered/Invalid Credentials

GNSS and Time Manipulation Threats

Unexpected GNSS Signal Delay

Signal-to-Noise Ratio Drop in GNSS Receiver

GNSS Signal Outage Detected

GNSS Receiver Power Fluctuations

Time Discrepancy Detected in GPS/External Signal Input

Unexpected Time Delta Detected

Time Adjustment Commands Detected

Anomalous Hardware Clock Behavior

Anomalous GNSS Timing Behavior (Time Rewind Detected)

Anomalous Sensor Data (Time Rewind Detected)

Unexpected Position Delta Detected via Anomalous GNSS Position Data

ICD Field Non-Compliance Detected

Spacecraft Memory Integrity and Resource Exploitation Attacks

Anomalous Flash Write Operations Detected in Short Timeframe

Anomalous Flash/EEPROM Memory Checksums Detected

Unusual Access Frequency to Critical Memory Regions

Skipped Boot Integrity Check

Memory Corruption Detected in Flight Software

Unexpected Modification of Memory Location Associated with Telemetry Data

Unexpected Memory Value Write or Modification

Resource Exhaustion Due to Handling Invalid Inputs

Failed Boot Memory Validation

Anomalous Boot Sequence Execution

Detection of Malicious Code in Boot Memory (Integrity Failure)

Unexpected Modification to Encryption Memory/Table

Unexpected Modification to Stored Commands Area

Abnormal Memory Consumption by Malicious Process

Unexpected Modification of Memory Location Associated with Payload Data

Unexpected Boot Memory Modifications

Unauthorized System Call to Open Flash Memory Blocks (/dev/mtd)

Bit Flip in Critical Memory Region Detected via Error Detection

Watchdog Timer (WDT) and Register Exploitation

Reduced Watchdog Timer Reset Frequency

Abnormal Frequency of Watchdog Timer Resets

Watchdog Timer Status Disabled

Watchdog Timer Timeout Modified to Unexpected Value

Unauthorized Access Attempt to Critical Registers

Unexpected Register Reset Activity

Anomalous Register Value Modification

Software Integrity and Unauthorized Updates

Unexpected Hardware Interrupt Trigger

Unexpected System Integrity Failures in Software

Security Feature Bypass Detected in Hardware Design

Abnormal Software Update Activity Detected

Unscheduled Software Updates Detected

Compromised Software Certificates or Digital Signatures

Invalid Digital Signature in On-Orbit Update Package

Malicious Code via New Process

Unexpected Software Crash Detected in Flight Software

Process Executing Priority Modification

Suspicious Binary or Script Execution

Loading of Malicious Kernel Modules

Repeated File Access to /null and Other Dummy Files

Abnormal System Calls Indicative of a Software Backdoor/Malicious Code

Repeated File Access to /zero or /null Devices

Execution of System Commands

Detection of Anomalous API Calls in Flight Software

Suspicious Activity in Software Compilation or Build Process

Unauthorized Modification of Source Code in Software Repository

Suspicious Access to Vulnerable Software Process

Detection of Anomalous Process Behavior Due to Code Exploitation

Abnormal Subsystem Behavior Following Malicious Code Execution

Detection of Unauthorized Hardware Debugging

Suspicious Firmware Version Rollback

Unauthorized Function Hooking in Telemetry Process

Unauthorized Modification of Downlink Configuration

Spacecraft Sensor Manipulation and System Resource Exploitation

Sensor Data Exceeds Operational Ranges

High CPU Utilization Due to Anomalous/Malicious Activity

Unauthorized State Changes in Critical Sensors

ADCS Onboard Values Manipulation

Unexpected Spacecraft Telemetry or Movement Detected on Attitude

Unauthorized Fault Management Configuration Change Detected Outside Expected Time

Unauthorized Star Map Changes in Star Trackers

Sudden Orbit Correction Detected Outside of Planned Windows

Security Feature Disabled in Safe-Mode

Ransomware Holding CPU Cycles Hostage

High CPU Usage Detected for Unauthorized Process

Microwave Emissions Targeting Sensitive Nodes

High Energy Particle Strike on Sensitive Node

Multiple Failed System Reinitializations Due to Exploit

Unexpected Changes to Software-Defined Radio (SDR) Configuration

Unexpected Fault Management Process Termination

Telemetry Packet Drops Due to CPU or Memory Overload

Abnormal Process Forking Leading to Resource Exhaustion

System Freeze or Crash Detected After High Resource Consumption (CPU, Memory, Storage)

Data Integrity and Storage Exploitation Threats

File or Data Integrity Check Failure

Unauthorized Modification of On-Orbit Update Binary

Multiple Failed Attempts to Access Encrypted Data

Storage Exhaustion (Disk Full)

Unusual File Encryption Activity Detected

Suspicious Activity Leading to Storage Exhaustion

Attitude Sensor Data and Actuator Behavior

Anomalous Frequency of Sensor Data Updates

Unexpected Change in Gyroscope Sensor Data

Abnormal Data Flow in Attitude Control Telemetry

Sensor Data Spike Detected

Discrepancy Between Redundant Sensor Systems

Flight Software Configuration Anomalies

Unexpected Audit Log Rotation

High Volume of Audit Log Entries Detected

Audit Log Capacity Limit Reached

Unauthorized Modification of Critical Onboard Values

Unplanned Deactivation of Downlink Transmitter

Detection of the downlink transmitter being deactivated unexpectedly, potentially indicating a malicious action intended to disable the spacecraft's ability to send telemetry data to the ground.

STIX Pattern

[x-opencti-telemetry:component = 'downlink_transmitter' AND x-opencti-telemetry:status = 'inactive' AND x-opencti-telemetry:deactivation_reason != 'planned']

SPARTA TTPs

ID		Name	Description
DE-0002		Disrupt or Deceive Downlink	Threat actors may target ground-side telemetry reception, processing, or display to disrupt the operator’s visibility into spacecraft health and activity. This may involve denial-based attacks that prevent the spacecraft from transmitting telemetry to the ground (e.g., disabling telemetry links or crashing telemetry software), or more subtle deception-based attacks that manipulate telemetry content to conceal unauthorized actions. Since telemetry is the primary method ground controllers rely on to monitor spacecraft status, any disruption or manipulation can delay or prevent detection of malicious activity, suppress automated or manual mitigations, or degrade trust in telemetry-based decision support systems.
DE-0002.01		Inhibit Ground System Functionality	Threat actors may utilize access to the ground system to inhibit its ability to accurately process, render, or interpret spacecraft telemetry, effectively leaving ground controllers unaware of the spacecraft’s true state or activity. This may involve traditional denial-based techniques, such as disabling telemetry software, corrupting processing pipelines, or crashing display interfaces. In addition, more subtle deception-based techniques may be used to falsify telemetry data within the ground system , such as modifying command counters, acknowledgments, housekeeping data, or sensor outputs , to provide the appearance of nominal operation. These actions can suppress alerts, mask unauthorized activity, or prevent both automated and manual mitigations from being initiated based on misleading ground-side information. Because telemetry is the primary method by which ground controllers monitor the health, behavior, and safety of the spacecraft, any disruption or falsification of this data directly undermines situational awareness and operational control.
DE-0002.03		Inhibit Spacecraft Functionality	In this variant, telemetry is suppressed at the source by manipulating on-board generation or transmission. Methods include disabling or pausing telemetry publishers, altering packet filters and rates, muting event/report channels, reconfiguring recorder playback, retuning/muting transmitters, or switching to modes that emit only minimal beacons. The spacecraft continues operating, but the downlink no longer reflects true activity or arrives too sparsely to support monitoring. By constraining what is produced or transmitted, the adversary reduces opportunities for detection while other actions proceed.