Threat actor is trying to establish resources they can use to support operations.
| ID | Name | Description | |
| RD-0001 | Acquire Infrastructure | Adversaries assemble the people, platforms, and plumbing they will later use to observe, reach, or impersonate mission components. Infrastructure spans RF and optical ground assets (antennas, modems, timing sources, front-ends), compute and storage (on-prem and cloud), network presence (leased ASNs/IP space, VPS fleets, CDN relays), identity fabric (burner accounts, domains, certificates), and fabrication/test environments for hardware and software. They favor assets that are inexpensive, deniable, and geographically diverse, mixing self-hosted gear with commercial services and compromised third-party systems. To support spacecraft operations, they may build SDR-based labs that replicate waveforms and framing, stage command/telemetry tooling behind traffic mixers, and pre-position data pipelines for collection and analysis. The objective is persistence and flexibility: the ability to pivot between reconnaissance, delivery, and command with minimal attribution risk. | |
| .01 | Ground Station Equipment | Rather than compromising existing stations, adversaries may acquire or assemble their own RF ground stack. Typical building blocks include: steerable mounts with auto-track, time/frequency standards, band-appropriate antennas and feeds, LNAs and filters at the feed, low-loss IF chains, T/R switching, medium/high-power amplifiers with protection and telemetry, and weather protection. Baseband equipment often mixes SDRs with commercial modems to generate/capture mission waveforms and framing; signal generators and spectrum analyzers support calibration and banner-grabbing. On the digital side, ground data processors translate captured frames to packetized formats for analysis and rehearsal. With this kit, an actor can passively collect, actively probe, or attempt spoofing if link-layer authentication is weak. | |
| .02 | Commercial Ground Station Services | Instead of building dishes, adversaries may rent time on commercial ground networks or cloud-integrated “ground-station-as-a-service.” Access can be obtained legitimately (front companies, weak vetting) or via compromised customer accounts, allowing schedule requests, RF front-end configuration, and data egress through reputable providers. The appeal is speed, global reach, and plausible deniability; the risk to defenders is that traffic originates from expected stations and IP ranges. Misuse may include reconnaissance (passive capture), selective denial (misconfiguration or saturation attempts), or, where authentication is weak, unauthorized commanding. | |
| .03 | Spacecraft | A well-resourced actor may field their own spacecraft or hosted payload to gain proximity, visibility, or RF leverage. Small satellites can be launched into nearby planes or phasing orbits to observe emissions, perform spectrum measurements, or test spoofing and denial techniques at short range. Hosted payloads on commercial buses provide co-location without full spacecraft development. Proximity also enables on-orbit relay, crosslink probing, or attempts to exploit weak segmentation between payload and bus on rideshares. Regulatory and tracking regimes complicate overt misuse, but shell companies, benign-seeming mission declarations, or flags of convenience can mask intent. | |
| .04 | Launch Facility | In practice, adversaries are far more likely to purchase launch services (rideshare slots, hosted-payload opportunities) than to “acquire a launch facility.” Nevertheless, understanding and exploiting launch infrastructure, pads, integration cells, range networks, and control centers, could support resource development (e.g., positioning an asset, staging equipment near range telemetry). The realistic objective is influence over access to orbit, schedule, or integration touchpoints rather than ownership of a pad. Shell entities might book benign-sounding rides, insert dual-use payloads, or seek special handling that relaxes controls. | |
| RD-0002 | Compromise Infrastructure | Rather than purchasing or renting assets, adversaries compromise existing infrastructure, mission-owned, third-party, or shared, to obtain ready-made reach into space, ground, or cloud environments with the benefit of plausible attribution. Targets range from physical RF chains and timing sources to mission control servers, automation/scheduling systems, SLE/CSP gateways, identity providers, and cloud data paths. Initial access often comes via stolen credentials, spear-phishing of operators and vendors, exposed remote-support paths, misconfigured multi-tenant platforms, or lateral movement from enterprise IT into operations enclaves. Once resident, actors can pre-position tools, modify configurations, suppress logging, and impersonate legitimate stations or operators to support later Execution, Exfiltration, or Denial. | |
| .01 | Mission-Operated Ground System | Compromising a mission’s own ground system grants the adversary preconfigured access to TT&C and automation. High-value targets include operator workstations, mission control servers, procedure libraries, scheduler/orchestration services, key-loading tools and HSMs, antenna control systems, timing/distribution, and RF modems/baseband units. Typical paths: phishing an operator or contractor, abusing remote-support channels, pivoting from enterprise IT to ops, exploiting unpatched services on enclave gateways, or harvesting credentials from poorly segmented test environments. Once inside, an actor can stage malicious procedures, alter rate/size limits, manipulate pass schedules, downgrade authentication in maintenance modes, or quietly siphon telemetry and ephemerides to refine later attacks. | |
| .02 | 3rd Party Ground System | Third-party networks (commercial ground stations, hosted modems, cloud-integrated ground-station services) present attractive stepping-stones: they already have vetted RF chains, globally distributed apertures, and trusted IP space. Adversaries may acquire customer credentials via phishing or purchase, exploit weak vetting to create front-company accounts, or compromise provider portals/APIs to submit schedules, alter front-end settings, or exfiltrate collected data. Because traffic originates from “expected” stations and ASN ranges, misuse blends into normal operations. Multi-tenant risks include configuration bleed-over and shared management planes. | |
| .03 | 3rd-Party Spacecraft | By compromising another operator’s spacecraft, or a hosted payload, an adversary can gain proximity, sensing, and relay capabilities that are costly to build from scratch and difficult to attribute. With control of an on-orbit asset, the actor may conduct local spectrum measurement and traffic analysis, attempt selective interference or spoofing at short range, or probe crosslinks and gateways where payload networks bridge to buses. In rideshare or hosted-payload contexts, weak segmentation and shared ground paths can provide insight into neighboring missions. More aggressive scenarios include remote proximity operations (RPO) to achieve advantageous geometry; however, physical grappling, docking, or exposure of debug/test interfaces is highly specialized and rare, with significant safety, legal, and tracking implications. Realistic attacker goals emphasize adjacency for RF leverage, covert relay, or data theft rather than mechanical capture. | |
| RD-0003 | Obtain Cyber Capabilities | Adversaries acquire ready-made tools, code, and knowledge so they can move faster and with lower attribution when operations begin. Capabilities span commodity malware and loaders, bespoke implants for mission control mission control and ground enclaves, privilege-escalation and lateral-movement kits, SDR/codec stacks for TT&C and payload links, fuzzers and protocol harnesses, exploit chains for RTOS/middleware and ground services, and databases of configuration playbooks from prior intrusions. Actors prefer modular kits that can be re-skinned (new C2, new certs) and exercised in flatsat or SIL/HIL labs before use. They also collect operational “how-tos”, procedures, scripts, and operator macros, that convert technical access into mission effects. | |
| .01 | Exploit/Payload | Threat actors obtain or adapt exploits (the trigger) and payloads (the action after exploitation) for space, ground, and cloud components. Targets include flight software parsers and table loaders, bootloaders and patch/update handlers, bus gateways, payload controllers, and ground services. Payloads may be binaries, scripts, or command/procedure sequences that alter modes, bypass FDIR, or stage follow-on access; they can also be “data payloads” that exploit weak validation (malformed tables, ephemeris, or calibration products). Acquisition paths mirror the broader market, brokered N-day/0-day packages, open-source exploits re-tooled for mission stacks, and theft from vendors or researchers. Actors tune timing, size/rate limits, and anti-replay nuances so delivery fits pass windows and link budgets, and they rehearse on flatsats to achieve deterministic outcomes. | |
| .02 | Cryptographic Keys | Adversaries seek any cryptographic material that confers command or decryption authority: uplink authentication/MAC keys and counters, link-encryption/session keys and KEKs, loading/transfer keys for HSMs, PN/spreading codes, modem credentials, and station or crosslink keys. Acquisition routes include compromised ground systems and laptops, misconfigured repositories and ticket systems, memory/core dumps, training datasets and screenshots, contractor support channels, and poorly controlled key-loading or recovery procedures. Because some missions authenticate uplink without encrypting it, possession of the right keys/counters may be sufficient to inject accepted commands outside official channels or to desynchronize anti-replay. | |
| RD-0004 | Stage Capabilities | Before execution, adversaries prepare the ground, literally and figuratively. They upload tooling, exploits, procedures, and datasets to infrastructure they own or have compromised, wire up C2 and telemetry pipelines, and pre-configure RF/baseband chains and protocol stacks to match mission parameters. Staging often uses cloud object stores, VPS fleets, or CI/CD runners masquerading as benign automation; artifacts are containerized or signed with hijacked material to blend in. For RF operations, actors assemble demod/encode flowgraphs, precompute CRC/MAC fields and timetags, and script rate/size pacing to fit pass windows. For ground/cloud, they stage credentials, macros, and schedule templates that can push changes or exfiltrate data quickly during handovers or safing. Dry-runs on flatsats/HIL rigs validate timing and error paths; OPSEC measures (rotating domains, domain fronting, traffic mixers) reduce attribution. | |
| .01 | Identify/Select Delivery Mechanism | Adversaries select the pathway that best balances effect, risk, bandwidth, and attribution. Options include over-the-air telecommand injection on TT&C links, manipulation of payload downlinks or user terminals, abuse of crosslinks or gateways, pivoting through commercial ground networks, or pushing malicious updates via supply-chain paths (software, firmware, bitstreams). Selection considers modulation/coding, Doppler and polarization, anti-replay windows, pass geometry, rate/size limits, and expected operator workload (handover, LEOP, safing exits). For ground/cloud paths, actors account for identity boundaries, automation hooks, and change-control cadence. The “delivery mechanism” is end-to-end: RF front-end (antenna, converters, HPAs), baseband/SDR chain, protocol/framing, authentication/counter handling, scheduling, and fallbacks if detection occurs. Rehearsal artifacts, test vectors, mock dictionaries, ephemerides, are built alongside. | |
| .02 | Upload Exploit/Payload | Having chosen a path, adversaries pre-position the specific packages and procedures they intend to use: binary exploits, malicious tables and ephemerides, patch images, modem profiles, and operator macros that chain actions. On compromised or leased infrastructure, they stage these items where execution will be fastest, provider portals, scheduler queues, ground station file drops, or automation repos, with triggers tied to pass start, beacon acquisition, or operator shift changes. Artifacts are formatted to mission protocols (framing, CRC/MAC, timetags), chunked to meet rate/size constraints, and signed or wrapped to evade superficial checks. Anti-forensics (timestamp tampering, log suppression, ephemeral storage) reduce audit visibility, while fallback payloads are kept for alternate modes (safe-mode dictionaries, recovery consoles). | |
| RD-0005 | Obtain Non-Cyber Capabilities | Adversaries may pursue non-cyber counterspace means to create access, leverage, or effects that complement cyber operations. These capabilities span kinetic physical (e.g., direct-ascent or co-orbital interceptors and attacks on ground segments), non-kinetic physical (e.g., lasers, high-power microwave/EMP), and electronic warfare (jamming and spoofing). Each class differs in required resources, detectability, attribution, and the permanence of effects, from reversible interference to irreversible destruction. A pragmatic actor mixes methods: electronic attack to mask or distract, directed energy to blind sensors or upset electronics, and, at the top end, kinetic capabilities to hold assets at risk. Resource development may involve acquisition, partnering, or covert access to such systems; rehearsals are often framed as testing or calibration. | |
| .01 | Launch Services | Rather than “owning a pad,” a realistic path is purchasing launch services (rideshare, hosted payload) to place inspection or relay assets where they confer RF, optical, or proximity advantage. Launch providers deliver integration, testing, and scheduling; an actor can use benign mission covers to field small satellites that measure local spectrum, perform on-orbit characterization of target emissions, or support later rendezvous and proximity operations. The resource being developed is access to vantage points, not just spaceflight hardware. | |
| .02 | Non-Kinetic Physical ASAT | Non-kinetic physical ASATs damage or degrade without contact, typically via directed energy or intense electromagnetic effects. Ground- or space-based lasers can dazzle or blind optical sensors; high-power microwave or related electromagnetic systems can disrupt or permanently damage susceptible electronics; some concepts aim to generate broader electromagnetic effects. These attacks propagate at light speed, can be tuned for reversible or lasting impact, and may leave limited forensic residue, complicating verification and attribution. Actors who obtain or partner for such systems can pair them with cyber operations (e.g., blind a star tracker while injecting misleading commands) to amplify effect. | |
| .03 | Kinetic Physical ASAT | Kinetic capabilities physically strike space or ground elements. In space, direct-ascent systems launch from Earth to intercept a satellite on orbit; co-orbital systems maneuver in space to approach and impact a target. On the ground, kinetic attacks can target stations or support infrastructure. These actions are generally easier to detect and attribute and often produce persistent, hazardous debris in orbit, especially at higher altitudes, making them strategically escalatory. Actors developing or accessing such capabilities gain credible coercive power but at significant political and operational cost. | |
| .04 | Electronic ASAT | Electronic ASAT attacks target the communications lifelines of space systems rather than their structures: jamming raises the noise floor to deny service; spoofing crafts believable but false signals (navigation, timing, or control). These effects are usually transient and can be difficult to attribute quickly, yet they are operationally useful and comparatively inexpensive. Actors may obtain portable or fixed jammers, high-gain antennas with agile waveforms, and specialized signal-processing toolchains; from orbit, a nearby asset can deliver highly selective interference. | |