Indicators of Behavior

SPARTA

Unauthorized and Anomalous Command Execution in Spacecraft Operations

Hardware Command Executed Outside Authorized Schedule

Unauthorized Hardware Command-Induced Configuration Change

Legitimate Command with Malicious Parameters Targeting Subsystems

Unexpected Legitimate Command Sent

Unexpected counter increment (valid or invalid count)

Unauthorized Commands Issued from Unrecognized Ground Station

Duplicate Command Packet Executions

Anomalous Command Packet Signatures

Valid Command Flooding

Logs of Processed Commands Flooding

Unauthorized Command Execution via Flight Software

Anomalous Command or Sequence in Safe-Mode

Unexpected Command Execution During Safe-Mode

Safe-Mode Exit Command Executed at Unexpected Time

Command from Untrusted Ground Station or Location in Safe-Mode

Irregular Orbit Maneuver Commands Detected on Attitude Control

Abnormal Burn Duration Detected in Propulsion Subsystem

Suspicious Burn Sequence Executed Outside Planned Timeline

Unexpected Thrust Direction Detected in Propulsion Subsystem

Repeated Downlink Commands with Identical Timestamps

Repeated Downlink Commands Sent Outside Authorized Time

Multiple Consecutive Burn Commands Exceeding Duration Limits

Unusual Commands from Subsystem Acting as Bus Controller (1553)

Unauthorized CLTU-START, STOP, or UNBIND Initiation from Unauthorized User or Rogue IP

Telecommand Format Tampering in CLTU-TRANSFER_DATA

Unauthorized Crosslink Command at Unexpected Time

Unauthorized Cryptographic Key Usage and Encryption Bypass

Repeated Use of Cryptographic Keys from Unusual Locations

Use of Old or Rotated Cryptographic Keys for Authentication

Unexpected Access to Cryptographic Keys

Unexpected Changes to Encryption Configuration Settings

Unexpected SPI Value Triggering Segmentation Fault

Abnormal Security Association (SA) Pointer Retrieval

Modification of Encryption Algorithms

Payload Channel Operating Without Encryption

Failed Credential Encryption in SLE Protocol

Crosslink Channel Operating Without Encryption

Use of Account or Cryptographic Keys at Unexpected Times

Communication Security and Network Exploitation

Unexpected Ground Station IP Address in Communication

ARP Spoofing Attack (Rogue IP)

Backup Channel Activity Outside Scheduled Time Windows

Unexpected Data Transfer Over Backup Channel While Primary Active

Traffic Volume Spike on Backup Channel

Unexpected Communication Protocols in Uplink

Use of Unexpected Protocol on Backup Channel

Denial of Service Due to Saturated Bandwidth Detected

Unexpected Downlink Traffic Dropped or Disrupted

Transmission to Unauthorized Ground Station Detected

Data Exfiltration Detected During Scheduled Communication Windows

Generic Flooding Attack

Erroneous Input Flooding

Unusual Data Transmission Between SpaceWire Routing Switches

Unexpected Communication Between Subsystems

Suspicious Network Traffic Without Expected Encryption

Creation of FIFO for Data Exfiltration or Command Injection

Process Execution Tied to Specific Geographic Coordinates

Unexpected High-Priority Messages on the CAN Bus

Unauthorized Downlink Communication at Unexpected Time

Unauthorized Data Transmission from Ground System to External IP

Traffic Volume Spike on Out-of-Band Link

Sudden Increase in Bandwidth Usage from Ground System

ARP Spoofing via MAC Address Mismatch

CAN Bus Error Frames Detected Across Multiple Nodes

Frequent CAN Arbitration Loss by Critical Subsystems

Unexpected Communication Between SpaceWire Nodes

Detection of CANBus Replay Attack with Duplicate Message ID and Timing Anomalies

Replay of Legitimate CANBus Message with Known Message ID

Unauthorized Device Acting as Bus Controller (1553)

Specially Crafted CAN Messages Sent to Critical Subsystems

Repeated CAN Message Spoofing Detected Between Subsystems

Unusual Communication Between Payload and Critical Subsystems

Unusual Data Transmission from Remote Terminal to Subsystem. (1553)

Traffic Volume Spike on Payload Channel

Payload Channel Activity Outside Scheduled Time Windows

Out-of-Band Activity Outside Scheduled Time Windows

Use of Unexpected Protocol on Out-of-Band Link

Unauthorized Frequency Usage on Out-of-Band Link

Unplanned Deactivation of Downlink Transmitter

High Latency Detected in Downlink Communication

Multiple Failed Downlink Attempts from Spacecraft

Anomalous Increase in Crosslink Traffic Volume

Communication to Unauthorized Neighboring Spacecraft

Unauthorized Signal Transmission to Secondary Receiver

Authentication and RF Signal Integrity Threats

Authentication Process Tampering

Anomalous Authentication Attempts

Invalid RF Command Lock

Unexpected Latency in Command Packet Processing

Failed Authentication Attempts Due to RF/EMI Interference

Abnormal Signal Strength

Noise Injection Detected in Communication Channels

Unauthorized Frequency Usage on Backup Channel

Safe-Mode Activation Due to Signal Jamming

CLTU BIND Authentication Failure

Authorized SLE Session Establishment by Attacker (Rogue IP)

Rejection of CLTU BIND Due to Tampered/Invalid Credentials

GNSS and Time Manipulation Threats

Unexpected GNSS Signal Delay

Signal-to-Noise Ratio Drop in GNSS Receiver

GNSS Signal Outage Detected

GNSS Receiver Power Fluctuations

Time Discrepancy Detected in GPS/External Signal Input

Unexpected Time Delta Detected

Time Adjustment Commands Detected

Anomalous Hardware Clock Behavior

Anomalous GNSS Timing Behavior (Time Rewind Detected)

Anomalous Sensor Data (Time Rewind Detected)

Unexpected Position Delta Detected via Anomalous GNSS Position Data

ICD Field Non-Compliance Detected

Spacecraft Memory Integrity and Resource Exploitation Attacks

Anomalous Flash Write Operations Detected in Short Timeframe

Anomalous Flash/EEPROM Memory Checksums Detected

Unusual Access Frequency to Critical Memory Regions

Skipped Boot Integrity Check

Memory Corruption Detected in Flight Software

Unexpected Modification of Memory Location Associated with Telemetry Data

Unexpected Memory Value Write or Modification

Resource Exhaustion Due to Handling Invalid Inputs

Failed Boot Memory Validation

Anomalous Boot Sequence Execution

Detection of Malicious Code in Boot Memory (Integrity Failure)

Unexpected Modification to Encryption Memory/Table

Unexpected Modification to Stored Commands Area

Abnormal Memory Consumption by Malicious Process

Unexpected Modification of Memory Location Associated with Payload Data

Unexpected Boot Memory Modifications

Unauthorized System Call to Open Flash Memory Blocks (/dev/mtd)

Bit Flip in Critical Memory Region Detected via Error Detection

Watchdog Timer (WDT) and Register Exploitation

Reduced Watchdog Timer Reset Frequency

Abnormal Frequency of Watchdog Timer Resets

Watchdog Timer Status Disabled

Watchdog Timer Timeout Modified to Unexpected Value

Unauthorized Access Attempt to Critical Registers

Unexpected Register Reset Activity

Anomalous Register Value Modification

Software Integrity and Unauthorized Updates

Unexpected Hardware Interrupt Trigger

Unexpected System Integrity Failures in Software

Security Feature Bypass Detected in Hardware Design

Abnormal Software Update Activity Detected

Unscheduled Software Updates Detected

Compromised Software Certificates or Digital Signatures

Invalid Digital Signature in On-Orbit Update Package

Malicious Code via New Process

Unexpected Software Crash Detected in Flight Software

Process Executing Priority Modification

Suspicious Binary or Script Execution

Loading of Malicious Kernel Modules

Repeated File Access to /null and Other Dummy Files

Abnormal System Calls Indicative of a Software Backdoor/Malicious Code

Repeated File Access to /zero or /null Devices

Execution of System Commands

Detection of Anomalous API Calls in Flight Software

Suspicious Activity in Software Compilation or Build Process

Unauthorized Modification of Source Code in Software Repository

Suspicious Access to Vulnerable Software Process

Detection of Anomalous Process Behavior Due to Code Exploitation

Abnormal Subsystem Behavior Following Malicious Code Execution

Detection of Unauthorized Hardware Debugging

Suspicious Firmware Version Rollback

Unauthorized Function Hooking in Telemetry Process

Unauthorized Modification of Downlink Configuration

Spacecraft Sensor Manipulation and System Resource Exploitation

Sensor Data Exceeds Operational Ranges

High CPU Utilization Due to Anomalous/Malicious Activity

Unauthorized State Changes in Critical Sensors

ADCS Onboard Values Manipulation

Unexpected Spacecraft Telemetry or Movement Detected on Attitude

Unauthorized Fault Management Configuration Change Detected Outside Expected Time

Unauthorized Star Map Changes in Star Trackers

Sudden Orbit Correction Detected Outside of Planned Windows

Security Feature Disabled in Safe-Mode

Ransomware Holding CPU Cycles Hostage

High CPU Usage Detected for Unauthorized Process

Microwave Emissions Targeting Sensitive Nodes

High Energy Particle Strike on Sensitive Node

Multiple Failed System Reinitializations Due to Exploit

Unexpected Changes to Software-Defined Radio (SDR) Configuration

Unexpected Fault Management Process Termination

Telemetry Packet Drops Due to CPU or Memory Overload

Abnormal Process Forking Leading to Resource Exhaustion

System Freeze or Crash Detected After High Resource Consumption (CPU, Memory, Storage)

Data Integrity and Storage Exploitation Threats

File or Data Integrity Check Failure

Unauthorized Modification of On-Orbit Update Binary

Multiple Failed Attempts to Access Encrypted Data

Storage Exhaustion (Disk Full)

Unusual File Encryption Activity Detected

Suspicious Activity Leading to Storage Exhaustion

Attitude Sensor Data and Actuator Behavior

Anomalous Frequency of Sensor Data Updates

Unexpected Change in Gyroscope Sensor Data

Abnormal Data Flow in Attitude Control Telemetry

Sensor Data Spike Detected

Discrepancy Between Redundant Sensor Systems

Flight Software Configuration Anomalies

Unexpected Audit Log Rotation

High Volume of Audit Log Entries Detected

Audit Log Capacity Limit Reached

Unauthorized Modification of Critical Onboard Values

Valid Command Flooding

Detection of flooding attacks on spacecraft systems using valid but excessive commands. Threat actors may send a high volume of valid commands to spacecraft subsystems, communication buses, or the link layer, leading to resource exhaustion such as CPU usage spikes, memory depletion, and increased battery consumption. These attacks can create temporary denial of service conditions by overwhelming the spacecraft's processing capabilities, preventing it from performing other critical operations. This tactic relies on the legitimate processing of valid commands to degrade spacecraft performance and operational availability. Since these are valid commands, the spacecraft will use processing power to validate and process them taking away CPU cycles from other tasks on the spacecraft.

STIX Pattern

[x-opencti-command-data:command_type = 'satellite_vehicle_command' AND x-opencti-command-data:command_frequency > 'expected_rate' AND x-opencti-command-data:source = 'external' AND x-opencti-command-data:command_validity = 'valid']

SPARTA TTPs

ID		Name	Description
EX-0001		Replay	Replay is the re-transmission of previously captured traffic, over RF links, crosslinks, or internal buses, to elicit the same processing and effects a second time. Adversaries first observe and record authentic exchanges (telecommands, ranging/acquisition frames, housekeeping telemetry acknowledgments, bus messages), then resend them within acceptance conditions that the system recognizes, matching link geometry, timetags, counters, or mode states. The aim can be functional (re-triggering an action such as a mode change), observational (fingerprinting how the vehicle reacts at different states), or disruptive (saturating queues and bandwidth to crowd out legitimate traffic). Because replays preserve valid syntax and often valid context, they can blend with normal operations, especially during periods with reduced monitoring or when counters and windows reset (e.g., handovers, safing entries). On encrypted links, metadata replays (acquisition beacons, schedule requests) may still yield informative responses.
EX-0001.01		Command Packets	Threat actors may resend authentic-looking telecommands that were previously accepted by the spacecraft. Captures may include whole command PDUs with framing, CRC/MAC, counters, and timetags intact, or they may be reconstructed from operator tooling and procedure logs. When timing, counters, and mode preconditions align, the replayed packet can cause the same effect: toggling relays, initiating safing or recovery scripts, adjusting tables, commanding momentum dumps, or scheduling delta-v events. Even when outright execution fails, repeated “near-miss” injections can map acceptance windows, rate/size limits, and interlocks by observing the spacecraft’s acknowledgments and state changes. At scale, streams of valid-but-stale commands can congest command queues, delay legitimate activity, or trigger nuisance FDIR responses.