Detects that credentials in the CLTU-BIND message were transmitted without encryption, making them vulnerable to capture and replay attacks. The Space Link Extension (SLE) protocol itself does not provide built-in encryption for securing the data transmitted through its services. The protocol focuses on the extension of space link operations between ground systems, but it lacks native security features such as encryption. The SLE protocol was designed to facilitate operational efficiency rather than providing security mechanisms. Any security (including encryption) typically happens outside of the SLE protocol, through mechanisms such as bulk encryption at the hardware layer or via an external transport security layer (e.g., IPsec or TLS) added on top of the communication channels. Encryption is usually implemented at the hardware level (bulk encryption) or applied to the transport layer through external protocols. This ensures that the data exchanged between the SLE User (Mission Control System) and the SLE Provider (Ground Station) is protected during transmission.
| ID | Name | Description | |
| IA-0004.01 | Ground Station | Threat actors may establish a foothold within the backup ground/mission operations center (MOC) and then perform attacks to force primary communication traffic through the backup communication channel so that other TTPs can be executed (man-in-the-middle, malicious commanding, malicious code, etc.). While an attacker would not be required to force the communications through the backup channel vice waiting until the backup is used for various reasons. Threat actors can also utilize compromised ground stations to chain command execution and payload delivery across geo-separated ground stations to extend reach and maintain access on spacecraft. The backup ground/MOC should be considered a viable attack vector and the appropriate/equivalent security controls from the primary communication channel should be on the backup ground/MOC as well. | |
| IA-0007 | Compromise Ground System | Threat actors may initially compromise the ground system in order to access the target spacecraft. Once compromised, the threat actor can perform a multitude of initial access techniques, including replay, compromising FSW deployment, compromising encryption keys, and compromising authentication schemes. Threat actors may also perform further reconnaissance within the system to enumerate mission networks and gather information related to ground station logical topology, missions ran out of said ground station, birds that are in-band of targeted ground stations, and other mission system capabilities. | |
| PER-0003 | Ground System Presence | Threat actors may compromise target owned ground systems that can be used for persistent access to the spacecraft or to perpetuate other techniques. These ground systems have already been configured for communications to the victim spacecraft. By compromising this infrastructure, threat actors can stage, launch, and execute persistently. | |
| EXF-0007 | Compromised Ground System | Threat actors may compromise target owned ground systems that can be used for future campaigns or to perpetuate other techniques. These ground systems have already been configured for communications to the victim spacecraft. By compromising this infrastructure, threat actors can stage, launch, and execute an operation. Threat actors may utilize these systems for various tasks, including Execution and Exfiltration. | |