Exploit Hardware/Firmware Corruption

The adversary achieves execution or effect by corrupting or steering behavior beneath the software stack, in device firmware, programmable logic, or the hardware itself. Examples include tampering with firmware images or configuration blobs burned into non-volatile memory; targeting MCU/SoC boot ROM fallbacks; editing FPGA bitstreams or partial-reconfiguration frames; or leveraging physical phenomena and timing to flip bits or skip checks. Because these actions occur below or alongside the operating system and application FSW, traditional endpoint safeguards see normal interfaces while trust anchors are already altered.

Subtechniques ( 2 )

ID	Name
EX-0005.01	Design Flaws
EX-0005.02	Malicious Use of Hardware Commands

ID: EX-0005

Sub-techniques: EX-0005.01 | EX-0005.02

Notional Risk (H | M | L): 25 | 24 | 21

ⓘ

Tactic: Execution

Created: 2022/10/19

Last Modified: 2026/03/11

Countermeasures

ID	Name	Tiering	Description	NIST Rev5	ISO 27001	Onboard SV	Ground
CM0022	Criticality Analysis	Tier I	Conduct a criticality analysis to identify mission critical functions, critical components, and data flows and reduce the vulnerability of such functions and components through secure system design. Focus supply chain protection on the most critical components/functions. Leverage other countermeasures like segmentation and least privilege to protect the critical components.	CM-4 \| CP-2 \| CP-2(8) \| PL-7 \| PL-8 \| PL-8(1) \| PM-11 \| PM-17 \| PM-30 \| PM-30(1) \| PM-32 \| RA-3 \| RA-3(1) \| RA-9 \| SA-11 \| SA-11(3) \| SA-15(3) \| SA-2 \| SA-3 \| SA-4(5) \| SA-4(9) \| SA-8 \| SA-8(25) \| SA-8(3) \| SA-8(30) \| SC-32(1) \| SC-7(29) \| SR-1 \| SR-2 \| SR-2(1) \| SR-3 \| SR-3(2) \| SR-3(3) \| SR-5(1) \| SR-7	A.8.9 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.2 \| A.5.29 \| A.8.1 \| A.5.30 \| 8.1 \| A.5.8 \| A.5.8 \| 4.4 \| 6.2 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| 10.2 \| 6.1.2 \| 8.2 \| 9.3.2 \| A.8.8 \| A.5.22 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28 \| A.8.29 \| A.8.30 \| 5.2 \| 5.3 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.1 \| A.5.2 \| A.5.4 \| A.5.19 \| A.5.31 \| A.5.36 \| A.5.37 \| A.5.19 \| A.5.20 \| A.5.21 \| A.8.30 \| A.5.20 \| A.5.21 \| A.5.22		YES
CM0024	Anti-counterfeit Hardware	Tier II	Develop and implement anti-counterfeit policy and procedures designed to detect and prevent counterfeit components from entering the information system, including tamper resistance and protection against the introduction of malicious code or hardware.	AC-14 \| AC-20(5) \| CM-7(9) \| PL-8 \| PL-8(1) \| PM-30 \| PM-30(1) \| RA-3(1) \| SA-10(3) \| SA-10(4) \| SA-11 \| SA-3 \| SA-4(5) \| SA-8 \| SA-8(11) \| SA-8(13) \| SA-8(16) \| SA-9 \| SR-1 \| SR-10 \| SR-11 \| SR-11(3) \| SR-2 \| SR-2(1) \| SR-3 \| SR-4 \| SR-4(1) \| SR-4(2) \| SR-4(3) \| SR-4(4) \| SR-5 \| SR-5(2) \| SR-6(1) \| SR-9 \| SR-9(1)	A.5.8 \| 4.4 \| 6.2 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| 10.2 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28 \| A.5.2 \| A.5.4 \| A.5.8 \| A.5.14 \| A.5.22 \| A.5.23 \| A.8.21 \| A.8.29 \| A.8.30 \| 5.2 \| 5.3 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.1 \| A.5.2 \| A.5.4 \| A.5.19 \| A.5.31 \| A.5.36 \| A.5.37 \| A.5.19 \| A.5.20 \| A.5.21 \| A.8.30 \| A.5.20 \| A.5.21 \| A.5.21 \| A.8.30 \| A.5.20 \| A.5.21 \| A.5.23 \| A.8.29		YES
CM0025	Supplier Review	Tier II	Conduct a supplier review prior to entering into a contractual agreement with a contractor (or sub-contractor) to acquire systems, system components, or system services.	PL-8 \| PL-8(1) \| PL-8(2) \| PM-30 \| PM-30(1) \| RA-3(1) \| SA-11 \| SA-11(3) \| SA-17 \| SA-2 \| SA-3 \| SA-8 \| SA-9 \| SR-11 \| SR-3(1) \| SR-3(3) \| SR-4 \| SR-4(1) \| SR-4(2) \| SR-4(3) \| SR-4(4) \| SR-5 \| SR-5(1) \| SR-5(2) \| SR-6	A.5.8 \| 4.4 \| 6.2 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| 10.2 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28 \| A.5.2 \| A.5.4 \| A.5.8 \| A.5.14 \| A.5.22 \| A.5.23 \| A.8.21 \| A.8.29 \| A.8.30 \| A.8.25 \| A.8.27 \| A.5.21 \| A.8.30 \| A.5.20 \| A.5.21 \| A.5.23 \| A.8.29 \| A.5.22		YES
CM0026	Original Component Manufacturer	Tier II	Components/Software that cannot be procured from the original component manufacturer or their authorized franchised distribution network should be approved by the supply chain board or equivalent to prevent and detect counterfeit and fraudulent parts, materials, and software.	AC-20(5) \| PL-8 \| PL-8(1) \| PL-8(2) \| PM-30 \| PM-30(1) \| RA-3(1) \| SA-10(4) \| SA-11 \| SA-3 \| SA-8 \| SA-9 \| SR-1 \| SR-11 \| SR-2 \| SR-2(1) \| SR-3 \| SR-3(1) \| SR-3(3) \| SR-4 \| SR-4(1) \| SR-4(2) \| SR-4(3) \| SR-4(4) \| SR-5 \| SR-5(1) \| SR-5(2)	A.5.8 \| 4.4 \| 6.2 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| 10.2 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28 \| A.5.2 \| A.5.4 \| A.5.8 \| A.5.14 \| A.5.22 \| A.5.23 \| A.8.21 \| A.8.29 \| A.8.30 \| 5.2 \| 5.3 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.1 \| A.5.2 \| A.5.4 \| A.5.19 \| A.5.31 \| A.5.36 \| A.5.37 \| A.5.19 \| A.5.20 \| A.5.21 \| A.8.30 \| A.5.20 \| A.5.21 \| A.5.21 \| A.8.30 \| A.5.20 \| A.5.21 \| A.5.23 \| A.8.29		YES
CM0027	ASIC/FPGA Manufacturing	Tier II	Application-Specific Integrated Circuit (ASIC) / Field Programmable Gate Arrays should be developed by accredited trusted foundries to limit potential hardware-based trojan injections.	AC-14 \| PL-8 \| PL-8(1) \| PL-8(2) \| PM-30 \| PM-30(1) \| RA-3(1) \| SA-10(3) \| SA-11 \| SA-3 \| SA-8 \| SA-8(11) \| SA-8(13) \| SA-8(16) \| SA-9 \| SI-3 \| SI-3(10) \| SR-1 \| SR-11 \| SR-2 \| SR-2(1) \| SR-3 \| SR-5 \| SR-5(2) \| SR-6(1)	A.5.8 \| 4.4 \| 6.2 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| 10.2 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28 \| A.5.2 \| A.5.4 \| A.5.8 \| A.5.14 \| A.5.22 \| A.5.23 \| A.8.21 \| A.8.29 \| A.8.30 \| A.8.7 \| 5.2 \| 5.3 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.1 \| A.5.2 \| A.5.4 \| A.5.19 \| A.5.31 \| A.5.36 \| A.5.37 \| A.5.19 \| A.5.20 \| A.5.21 \| A.8.30 \| A.5.20 \| A.5.21 \| A.5.20 \| A.5.21 \| A.5.23 \| A.8.29		YES
CM0028	Tamper Protection	Tier II	Perform physical inspection of hardware to look for potential tampering. Leverage tamper proof protection where possible when shipping/receiving equipment. Anti-tamper mechanisms are also critical for protecting software from unauthorized alterations. Techniques for preventing software tampering include code obfuscation, integrity checks, runtime integrity monitoring (e.g. self-checking code, watchdog processes, etc.) and more.	AC-14 \| AC-25 \| CA-8(1) \| CA-8(3) \| CM-7(9) \| MA-7 \| PL-8 \| PL-8(1) \| PL-8(2) \| PM-30 \| PM-30(1) \| RA-3(1) \| SA-10(3) \| SA-10(4) \| SA-11 \| SA-3 \| SA-4(5) \| SA-4(9) \| SA-8 \| SA-8(11) \| SA-8(13) \| SA-8(16) \| SA-8(19) \| SA-8(31) \| SA-9 \| SC-51 \| SR-1 \| SR-10 \| SR-11 \| SR-11(3) \| SR-2 \| SR-2(1) \| SR-3 \| SR-4(3) \| SR-4(4) \| SR-5 \| SR-5(2) \| SR-6(1) \| SR-9 \| SR-9(1)	A.5.8 \| 4.4 \| 6.2 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| 10.2 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28 \| A.5.2 \| A.5.4 \| A.5.8 \| A.5.14 \| A.5.22 \| A.5.23 \| A.8.21 \| A.8.29 \| A.8.30 \| 5.2 \| 5.3 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.1 \| A.5.2 \| A.5.4 \| A.5.19 \| A.5.31 \| A.5.36 \| A.5.37 \| A.5.19 \| A.5.20 \| A.5.21 \| A.8.30 \| A.5.20 \| A.5.21 \| A.5.20 \| A.5.21 \| A.5.23 \| A.8.29	YES
CM0018	Dynamic Testing	Tier I	Employ dynamic analysis (e.g., using simulation, penetration testing, fuzzing, etc.) to identify software/firmware weaknesses and vulnerabilities in developed and incorporated code (open source, commercial, or third-party developed code). Testing should occur (1) on potential system elements before acceptance; (2) as a realistic simulation of known adversary tactics, techniques, procedures (TTPs), and tools; and (3) throughout the lifecycle on physical and logical systems, elements, and processes. FLATSATs as well as digital twins can be used to perform the dynamic analysis depending on the TTPs being executed. Digital twins via instruction set simulation (i.e., emulation) can provide robust environment for dynamic analysis and TTP execution.	CA-8 \| CA-8(1) \| CM-4(2) \| CP-4(5) \| RA-3 \| RA-5(11) \| RA-7 \| SA-11 \| SA-11(3) \| SA-11(5) \| SA-11(8) \| SA-11(9) \| SA-3 \| SA-8 \| SA-8(30) \| SC-2(2) \| SC-7(29) \| SI-3 \| SI-3(10) \| SI-7 \| SR-6(1)	6.1.2 \| 8.2 \| 9.3.2 \| A.8.8 \| 6.1.3 \| 8.3 \| 10.2 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28 \| A.8.29 \| A.8.30 \| A.8.7		YES
CM0032	On-board Intrusion Detection & Prevention	Tier I	Utilize on-board intrusion detection/prevention system that monitors the mission critical components or systems and audit/logs actions. The IDS/IPS should have the capability to respond to threats (initial access, execution, persistence, evasion, exfiltration, etc.) and it should address signature-based attacks along with dynamic never-before seen attacks using machine learning/adaptive technologies. The IDS/IPS must integrate with traditional fault management to provide a wholistic approach to faults on-board the spacecraft. Spacecraft should select and execute safe countermeasures against cyber-attacks. These countermeasures are a ready supply of options to triage against the specific types of attack and mission priorities. Minimally, the response should ensure vehicle safety and continued operations. Ideally, the goal is to trap the threat, convince the threat that it is successful, and trace and track the attacker — with or without ground support. This would support successful attribution and evolving countermeasures to mitigate the threat in the future. “Safe countermeasures” are those that are compatible with the system’s fault management system to avoid unintended effects or fratricide on the system.	AU-14 \| AU-2 \| AU-3 \| AU-3(1) \| AU-4 \| AU-4(1) \| AU-5 \| AU-5(2) \| AU-5(5) \| AU-6(1) \| AU-6(4) \| AU-8 \| AU-9 \| AU-9(2) \| AU-9(3) \| CA-7(6) \| CM-11(3) \| CP-10 \| CP-10(4) \| IR-4 \| IR-4(11) \| IR-4(12) \| IR-4(14) \| IR-4(5) \| IR-5 \| IR-5(1) \| PL-8 \| PL-8(1) \| RA-10 \| RA-3(4) \| SA-8(21) \| SA-8(22) \| SA-8(23) \| SC-16(2) \| SC-32(1) \| SC-5 \| SC-5(3) \| SC-7(10) \| SC-7(9) \| SI-10(6) \| SI-16 \| SI-17 \| SI-3 \| SI-3(10) \| SI-3(8) \| SI-4 \| SI-4(1) \| SI-4(10) \| SI-4(11) \| SI-4(13) \| SI-4(16) \| SI-4(17) \| SI-4(2) \| SI-4(23) \| SI-4(24) \| SI-4(25) \| SI-4(4) \| SI-4(5) \| SI-4(7) \| SI-6 \| SI-7(17) \| SI-7(8)	A.8.15 \| A.8.15 \| A.8.6 \| A.8.17 \| A.5.33 \| A.8.15 \| A.8.15 \| A.5.29 \| A.5.25 \| A.5.26 \| A.5.27 \| A.5.8 \| A.5.7 \| A.8.12 \| A.8.7 \| A.8.16 \| A.8.16 \| A.8.16 \| A.8.16	YES
CM0014	Secure boot	Tier I	Software/Firmware must verify a trust chain that extends through the hardware root of trust, boot loader, boot configuration file, and operating system image, in that order. The trusted boot/RoT computing module should be implemented on radiation tolerant burn-in (non-programmable) equipment.	AC-14 \| PL-8 \| PL-8(1) \| SA-8(10) \| SA-8(12) \| SA-8(13) \| SA-8(3) \| SA-8(30) \| SA-8(4) \| SC-51 \| SI-7 \| SI-7(1) \| SI-7(10) \| SI-7(9)	A.5.8		YES

Indicators of Behavior

ID	Name	Description	STIX Pattern
UACE-1	Hardware Command Executed Outside Authorized Schedule	Detects hardware commands being executed outside predefined authorized time windows, potentially indicating unauthorized or malicious activity. Hardware commands should be few and far between and should occur only when expected/planned.	[x-opencti-command-log:command = 'hw_cmd_execute' AND x-opencti-command-log:execution_time != 'authorized_time']
UACE-2	Unauthorized Hardware Command-Induced Configuration Change	This monitors for hardware commands issued to reconfigure any system component. It specifically detects deviations from established baseline configurations, which may suggest tampering, unauthorized reprogramming, or exploitation of the system via hardware command injection.	[x-opencti-command-log:command = 'hw_cmd_configure' AND x-opencti-system:configuration != 'baseline_configuration']
GNTM-8	Anomalous Hardware Clock Behavior	Identifies abnormal changes in clock speed, indicative of clock glitching attempts. Clock Glitching is a fault injection method where an attacker or a security evaluator alters the operating frequency of a target.	[x-opencti-hardware-log:clock_speed != 'expected_speed']
MIRE-1	Anomalous Flash Write Operations Detected in Short Timeframe	Detection of a high number of flash write operations in a short timeframe, indicating a coordinated effort to overwrite the spacecraft's flash memory entirely. This behavior is typical of wiper malware aiming to destroy all flash data.	[x-opencti-memory:block = 'flash_memory' AND x-opencti-memory:write_operation_count > 'threshold' AND x-opencti-memory:write_duration < 'threshold']
MIRE-2	Anomalous Flash/EEPROM Memory Checksums Detected	Detection of a checksum mismatch for the flight software's flash / eeprom memory partitions. This could indicate that both the primary and redundant partitions have been corrupted by the malicious action, leading to a permanent denial of service (DoS).	[x-opencti-memory:table_ref.name = 'flash_memory' OR x-opencti-memory:table_ref.name = 'eeprom_memory' AND x-opencti-memory:checksum != 'expected_checksum']
MIRE-3	Unusual Access Frequency to Critical Memory Regions	Monitors for excessive access to critical memory regions, which may indicate malicious activities. On a spacecraft, consistent and unexpected access (read or write) to critical memory regions could indicate malicious activities by malware.	[x-opencti-memory:access_frequency > 'expected_rate' AND x-opencti-memory:memory_region != 'expected']
MIRE-4	Skipped Boot Integrity Check	Detects cases where boot / firmware integrity checks are bypassed, potentially due to a glitching or other attacks.	[x-opencti-memory:block = 'boot' AND x-opencti-memory:integrity_check = 'skipped']
MIRE-9	Failed Boot Memory Validation	Detection of boot memory validation failure, indicating that boot memory has been tampered with to bypass internal processes. This is similar to integrity failure detection but this is the overall boot process failing validation using whatever steps are established (i.e., digital signature, cryptography, etc.)	[x-opencti-system:boot_memory_validation = 'failed']
MIRE-10	Anomalous Boot Sequence Execution	Detection of an unexpected boot sequence, indicating potential tampering or manipulation of boot memory during system startup.	[x-opencti-system:boot_sequence = 'unexpected']
SIUU-1	Unexpected Hardware Interrupt Trigger	Monitors for unexpected hardware interrupts, which may indicate an attacker exploiting design flaws to disrupt operational workflows.	[x-opencti-hardware-interrupt:triggered = true AND x-opencti-hardware-interrupt:source != 'authorized_source']
SIUU-2	Unexpected System Integrity Failures in Software	Detection of failed integrity checks during spacecraft software execution, potentially indicating that the software has been modified to include a backdoor or malicious code	[x-opencti-software:integrity_check = 'failed' AND x-opencti-software:name = 'spacecraft_software']
SIUU-3	Security Feature Bypass Detected in Hardware Design	Monitors for security features being disabled in the hardware layer, possibly indicating design flaws being leveraged.	[x-opencti-hardware:security_feature_status != 'enabled']
SIUU-8	Malicious Code via New Process	Code execution detected from an unexpected source / process, possibly indicating unauthorized or malicious code running on the spacecraft.	[x-opencti-logs:event_type = 'code_execution' AND x-opencti-processor-usage:activity_type = 'unexpected' AND x-opencti-processor-usage:process_name NOT IN ('list_of_known_processes')]
SIUU-22	Abnormal Subsystem Behavior Following Malicious Code Execution	Detection of abnormal or unexpected behavior in critical spacecraft subsystems (e.g., attitude control, power management) after malicious code execution. This pattern indicates a direct impact on spacecraft subsystems following the activation of the malicious code.	[x-opencti-subsystem-log:status != 'expected' AND process:image_ref.name = 'malicious_process']
SIUU-23	Detection of Unauthorized Hardware Debugging	Identifies unauthorized activation of hardware debugging features, which could facilitate backdoor access. This pattern checks if the hardware debugging mode is activated at an unexpected time (activation_time != 'expected_time'). It is useful for scenarios where debugging activity might occur outside of predefined operational windows, potentially signaling malicious activity or tampering.	[x-opencti-hardware-log:debug_mode = true AND x-opencti-hardware-log:activation_time != 'expected_time']
SIUU-24	Suspicious Firmware Version Rollback	Firmware updates will oftentimes include fixes to security vulnerabilities, meaning that past versions will contain security threats to the devices. If a threat actor can initiate a firmware update on the device, they may be able to 'upgrade' to a previous firmware version with known vulnerabilities. By completing an 'upgrade' to a version with vulnerabilities, the threat actor could then potentially exploit that device to gain additional access or privileges.	[x-opencti-firmware-log:version != 'latest_version' AND x-opencti-firmware-log:rollback_attempt = true]
SMSR-1	Sensor Data Exceeds Operational Ranges	Tracks sensor readings that exceed acceptable operational limits, potentially disrupting spacecraft functionality. Detects sensor data values falling outside predefined operational ranges, potentially indicating spoofing.	[x-opencti-sensor-data:value NOT IN ('expected_min','expected_max')]

Priority 1	Priority 2	Priority 3	Priority 4
CWE-1263: Improper Physical Access Control	CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-172: Encoding Error
CWE-20: Improper Input Validation
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit Hardware/Firmware Corruption

Subtechniques ( 2 )

Countermeasures

Related CWE Classes

Related Aerospace Threat ID

Related MITRE ATT&CK TTPs

Related ESA SPACE-SHIELD TTPs

Related MITRE EMB3D Threats

Related BSI Threats

Indicators of Behavior

References