Compromised Developer Site

By breaching development or integration environments (at the mission owner, contractor, or partner), the adversary gains access to source code, test vectors, telemetry captures, build artifacts, documentation, and configuration data, material that is often more complete than flight archives. Beyond theft of intellectual property, the attacker can embed telemetry taps, extended logging, or data “export” features into test harnesses, simulators, or flight builds so that, once fielded, the system produces extra observables or forwards content to non-mission endpoints. This activity typically occurs pre-launch during software production and ATLO, positioning exfiltration mechanisms to activate later in flight.

ID: EXF-0008

Sub-techniques: No sub-techniques

Notional Risk (H | M | L): 24 | 21 | 17

ⓘ

Tactic: Exfiltration

Created: 2022/10/19

Last Modified: 2026/03/11

Countermeasures

ID	Name	Tiering	Description	NIST Rev5	ISO 27001	Onboard SV	Ground
CM0001	Protect Sensitive Information	Tier I	Organizations should look to identify and properly classify mission sensitive design/operations information (e.g., fault management approach) and apply access control accordingly. Any location (ground system, contractor networks, etc.) storing design information needs to ensure design info is protected from exposure, exfiltration, etc. Space system sensitive information may be classified as Controlled Unclassified Information (CUI) or Company Proprietary. Space system sensitive information can typically include a wide range of candidate material: the functional and performance specifications, any ICDs (like radio frequency, ground-to-space, etc.), command and telemetry databases, scripts, simulation and rehearsal results/reports, descriptions of uplink protection including any disabling/bypass features, failure/anomaly resolution, and any other sensitive information related to architecture, software, and flight/ground /mission operations. This could all need protection at the appropriate level (e.g., unclassified, CUI, proprietary, classified, etc.) to mitigate levels of cyber intrusions that may be conducted against the project’s networks. Stand-alone systems and/or separate database encryption may be needed with controlled access and on-going Configuration Management to ensure changes in command procedures and critical database areas are tracked, controlled, and fully tested to avoid loss of science or the entire mission. Sensitive documentation should only be accessed by personnel with defined roles and a need to know. Well established access controls (roles, encryption at rest and transit, etc.) and data loss prevention (DLP) technology are key countermeasures. The DLP should be configured for the specific data types in question.	AC-25 \| AC-3(11) \| AC-4(23) \| AC-4(25) \| AC-4(6) \| CA-3 \| CM-12 \| CM-12(1) \| PL-8 \| PL-8(1) \| PM-11 \| PM-17 \| SA-3 \| SA-3(1) \| SA-3(2) \| SA-4(12) \| SA-5 \| SA-8 \| SA-8(19) \| SA-9(7) \| SC-16 \| SC-16(1) \| SC-8(1) \| SC-8(3) \| SI-12 \| SI-21 \| SI-23 \| SR-12 \| SR-7	A.8.4 \| A.8.11 \| A.8.10 \| A.5.14 \| A.8.21 \| A.5.8 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.33 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.37 \| A.8.27 \| A.8.28 \| A.5.33 \| A.8.10 \| A.5.22	YES
CM0030	Crypto Key Management	Tier I	Leverage best practices for crypto key management as defined by organization like NIST or the National Security Agency. Leverage only approved cryptographic algorithms, cryptographic key generation algorithms or key distribution techniques, authentication techniques, or evaluation criteria. Encryption key handling should be performed outside of the onboard software and protected using cryptography. Encryption keys should be restricted so that they cannot be read via any telecommands.	CM-3(6) \| PL-8 \| PL-8(1) \| SA-3 \| SA-4(5) \| SA-8 \| SA-9(6) \| SC-12 \| SC-12(1) \| SC-12(2) \| SC-12(3) \| SC-12(6) \| SC-28(3) \| SC-8(1)	A.5.8 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28 \| A.5.33 \| A.8.24	YES
CM0004	Development Environment Security	Tier I	In order to secure the development environment, the first step is understanding all the devices and people who interact with it. Maintain an accurate inventory of all people and assets that touch the development environment. Ensure strong multi-factor authentication is used across the development environment, especially for code repositories, as threat actors may attempt to sneak malicious code into software that's being built without being detected. Use zero-trust access controls to the code repositories where possible. For example, ensure the main branches in repositories are protected from injecting malicious code. A secure development environment requires change management, privilege management, auditing and in-depth monitoring across the environment.	AC-17 \| AC-18 \| AC-20(5) \| AC-3(11) \| AC-3(13) \| AC-3(15) \| CA-8 \| CA-8(1) \| CM-11 \| CM-14 \| CM-2(2) \| CM-3(2) \| CM-3(7) \| CM-3(8) \| CM-4(1) \| CM-5(6) \| CM-7(8) \| CP-2(8) \| MA-7 \| PL-8 \| PL-8(1) \| PL-8(2) \| PM-30 \| PM-30(1) \| RA-3(1) \| RA-3(2) \| RA-5 \| RA-5(2) \| RA-9 \| SA-10 \| SA-10(4) \| SA-11 \| SA-11(1) \| SA-11(2) \| SA-11(4) \| SA-11(5) \| SA-11(6) \| SA-11(7) \| SA-11(8) \| SA-15 \| SA-15(3) \| SA-15(5) \| SA-15(7) \| SA-15(8) \| SA-17 \| SA-3 \| SA-3(1) \| SA-3(2) \| SA-4(12) \| SA-4(3) \| SA-4(5) \| SA-4(9) \| SA-8 \| SA-8(19) \| SA-8(30) \| SA-8(31) \| SA-9 \| SC-38 \| SI-2 \| SI-2(6) \| SI-7 \| SR-1 \| SR-11 \| SR-2 \| SR-2(1) \| SR-3 \| SR-3(2) \| SR-4 \| SR-4(1) \| SR-4(2) \| SR-4(3) \| SR-4(4) \| SR-5 \| SR-5(2) \| SR-6 \| SR-6(1) \| SR-7	A.8.4 \| A.5.14 \| A.6.7 \| A.8.1 \| A.5.14 \| A.8.1 \| A.8.20 \| A.8.9 \| A.8.9 \| A.8.31 \| A.8.19 \| A.5.30 \| A.5.8 \| 4.4 \| 6.2 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| 10.2 \| A.8.8 \| A.5.22 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.33 \| A.8.28 \| A.8.27 \| A.8.28 \| A.5.2 \| A.5.4 \| A.5.8 \| A.5.14 \| A.5.22 \| A.5.23 \| A.8.21 \| A.8.9 \| A.8.28 \| A.8.30 \| A.8.32 \| A.8.29 \| A.8.30 \| A.8.28 \| A.5.8 \| A.8.25 \| A.8.28 \| A.8.25 \| A.8.27 \| A.6.8 \| A.8.8 \| A.8.32 \| 5.2 \| 5.3 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.1 \| A.5.2 \| A.5.4 \| A.5.19 \| A.5.31 \| A.5.36 \| A.5.37 \| A.5.19 \| A.5.20 \| A.5.21 \| A.8.30 \| A.5.20 \| A.5.21 \| A.5.21 \| A.8.30 \| A.5.20 \| A.5.21 \| A.5.23 \| A.8.29 \| A.5.22 \| A.5.22		YES
CM0005	Ground-based Countermeasures	Tier II	This countermeasure is focused on the protection of terrestrial assets like ground networks and development environments/contractor networks, etc. Traditional detection technologies and capabilities would be applicable here. Utilizing resources from NIST CSF to properly secure these environments using identify, protect, detect, recover, and respond is likely warranted. Additionally, NISTIR 8401 may provide resources as well since it was developed to focus on ground-based security for space systems (https://csrc.nist.gov/pubs/ir/8401/final). Furthermore, the MITRE ATT&CK framework provides IT focused TTPs and their mitigations https://attack.mitre.org/mitigations/enterprise/. Several recommended NIST 800-53 Rev5 controls are provided for reference when designing ground systems/networks.	AC-1 \| AC-10 \| AC-11 \| AC-11(1) \| AC-12 \| AC-12(1) \| AC-14 \| AC-16 \| AC-16(6) \| AC-17 \| AC-17(1) \| AC-17(10) \| AC-17(2) \| AC-17(3) \| AC-17(4) \| AC-17(6) \| AC-17(9) \| AC-18 \| AC-18(1) \| AC-18(3) \| AC-18(4) \| AC-18(5) \| AC-19 \| AC-19(5) \| AC-2 \| AC-2(1) \| AC-2(11) \| AC-2(12) \| AC-2(13) \| AC-2(2) \| AC-2(3) \| AC-2(9) \| AC-20 \| AC-20(1) \| AC-20(2) \| AC-20(3) \| AC-20(5) \| AC-21 \| AC-22 \| AC-3 \| AC-3(11) \| AC-3(13) \| AC-3(15) \| AC-3(4) \| AC-4 \| AC-4(23) \| AC-4(24) \| AC-4(25) \| AC-4(26) \| AC-4(31) \| AC-4(32) \| AC-6 \| AC-6(1) \| AC-6(10) \| AC-6(2) \| AC-6(3) \| AC-6(5) \| AC-6(8) \| AC-6(9) \| AC-7 \| AC-8 \| AT-2(4) \| AT-2(5) \| AT-2(6) \| AT-3 \| AT-3(2) \| AT-4 \| AU-10 \| AU-11 \| AU-12 \| AU-12(1) \| AU-12(3) \| AU-14 \| AU-14(1) \| AU-14(3) \| AU-2 \| AU-3 \| AU-3(1) \| AU-4 \| AU-4(1) \| AU-5 \| AU-5(1) \| AU-5(2) \| AU-5(5) \| AU-6 \| AU-6(1) \| AU-6(3) \| AU-6(4) \| AU-6(5) \| AU-6(6) \| AU-7 \| AU-7(1) \| AU-8 \| AU-9 \| AU-9(2) \| AU-9(3) \| AU-9(4) \| CA-3 \| CA-3(6) \| CA-3(7) \| CA-7 \| CA-7(1) \| CA-7(6) \| CA-8 \| CA-8(1) \| CA-9 \| CM-10(1) \| CM-11 \| CM-11(2) \| CM-11(3) \| CM-12 \| CM-12(1) \| CM-14 \| CM-2 \| CM-2(2) \| CM-2(3) \| CM-2(7) \| CM-3 \| CM-3(1) \| CM-3(2) \| CM-3(4) \| CM-3(5) \| CM-3(6) \| CM-3(7) \| CM-3(8) \| CM-4 \| CM-5(1) \| CM-5(5) \| CM-6 \| CM-6(1) \| CM-6(2) \| CM-7 \| CM-7(1) \| CM-7(2) \| CM-7(3) \| CM-7(5) \| CM-7(8) \| CM-7(9) \| CM-8 \| CM-8(1) \| CM-8(2) \| CM-8(3) \| CM-8(4) \| CM-9 \| CP-10 \| CP-10(2) \| CP-10(4) \| CP-2 \| CP-2(2) \| CP-2(5) \| CP-2(8) \| CP-3(1) \| CP-4(1) \| CP-4(2) \| CP-4(5) \| CP-8 \| CP-8(1) \| CP-8(2) \| CP-8(3) \| CP-8(4) \| CP-8(5) \| CP-9 \| CP-9(1) \| CP-9(2) \| CP-9(3) \| IA-11 \| IA-12 \| IA-12(1) \| IA-12(2) \| IA-12(3) \| IA-12(4) \| IA-12(5) \| IA-12(6) \| IA-2 \| IA-2(1) \| IA-2(12) \| IA-2(2) \| IA-2(5) \| IA-2(6) \| IA-2(8) \| IA-3 \| IA-3(1) \| IA-4 \| IA-4(9) \| IA-5 \| IA-5(1) \| IA-5(13) \| IA-5(14) \| IA-5(2) \| IA-5(7) \| IA-5(8) \| IA-6 \| IA-7 \| IA-8 \| IR-2 \| IR-2(2) \| IR-2(3) \| IR-3 \| IR-3(1) \| IR-3(2) \| IR-3(3) \| IR-4 \| IR-4(1) \| IR-4(10) \| IR-4(11) \| IR-4(12) \| IR-4(13) \| IR-4(14) \| IR-4(3) \| IR-4(4) \| IR-4(5) \| IR-4(6) \| IR-4(7) \| IR-4(8) \| IR-5 \| IR-5(1) \| IR-6 \| IR-6(1) \| IR-6(2) \| IR-7 \| IR-7(1) \| IR-8 \| MA-2 \| MA-3 \| MA-3(1) \| MA-3(2) \| MA-3(3) \| MA-4 \| MA-4(1) \| MA-4(3) \| MA-4(6) \| MA-4(7) \| MA-5(1) \| MA-6 \| MA-7 \| MP-2 \| MP-3 \| MP-4 \| MP-5 \| MP-6 \| MP-6(3) \| MP-7 \| PE-3(7) \| PL-10 \| PL-11 \| PL-8 \| PL-8(1) \| PL-8(2) \| PL-9 \| PM-11 \| PM-16(1) \| PM-17 \| PM-30 \| PM-30(1) \| PM-31 \| PM-32 \| RA-10 \| RA-3(1) \| RA-3(2) \| RA-3(3) \| RA-3(4) \| RA-5 \| RA-5(10) \| RA-5(11) \| RA-5(2) \| RA-5(4) \| RA-5(5) \| RA-7 \| RA-9 \| SA-10 \| SA-10(1) \| SA-10(2) \| SA-10(7) \| SA-11 \| SA-11(2) \| SA-11(4) \| SA-11(7) \| SA-11(9) \| SA-15 \| SA-15(3) \| SA-15(7) \| SA-17 \| SA-2 \| SA-22 \| SA-3 \| SA-3(1) \| SA-3(2) \| SA-4 \| SA-4(1) \| SA-4(10) \| SA-4(12) \| SA-4(2) \| SA-4(3) \| SA-4(5) \| SA-4(7) \| SA-4(9) \| SA-5 \| SA-8 \| SA-8(14) \| SA-8(15) \| SA-8(18) \| SA-8(21) \| SA-8(22) \| SA-8(23) \| SA-8(24) \| SA-8(29) \| SA-8(9) \| SA-9 \| SA-9(1) \| SA-9(2) \| SA-9(6) \| SA-9(7) \| SC-10 \| SC-12 \| SC-12(1) \| SC-12(6) \| SC-13 \| SC-15 \| SC-16(2) \| SC-16(3) \| SC-18(1) \| SC-18(2) \| SC-18(3) \| SC-18(4) \| SC-2 \| SC-2(2) \| SC-20 \| SC-21 \| SC-22 \| SC-23 \| SC-23(1) \| SC-23(3) \| SC-23(5) \| SC-24 \| SC-28 \| SC-28(1) \| SC-28(3) \| SC-3 \| SC-38 \| SC-39 \| SC-4 \| SC-45 \| SC-45(1) \| SC-45(2) \| SC-49 \| SC-5 \| SC-5(1) \| SC-5(2) \| SC-5(3) \| SC-50 \| SC-51 \| SC-7 \| SC-7(10) \| SC-7(11) \| SC-7(12) \| SC-7(13) \| SC-7(14) \| SC-7(18) \| SC-7(21) \| SC-7(25) \| SC-7(29) \| SC-7(3) \| SC-7(4) \| SC-7(5) \| SC-7(7) \| SC-7(8) \| SC-7(9) \| SC-8 \| SC-8(1) \| SC-8(2) \| SC-8(5) \| SI-10 \| SI-10(3) \| SI-10(6) \| SI-11 \| SI-12 \| SI-14(3) \| SI-16 \| SI-19(4) \| SI-2 \| SI-2(2) \| SI-2(3) \| SI-2(6) \| SI-21 \| SI-3 \| SI-3(10) \| SI-4 \| SI-4(1) \| SI-4(10) \| SI-4(11) \| SI-4(12) \| SI-4(13) \| SI-4(14) \| SI-4(15) \| SI-4(16) \| SI-4(17) \| SI-4(2) \| SI-4(20) \| SI-4(22) \| SI-4(23) \| SI-4(24) \| SI-4(25) \| SI-4(4) \| SI-4(5) \| SI-5 \| SI-5(1) \| SI-6 \| SI-7 \| SI-7(1) \| SI-7(17) \| SI-7(2) \| SI-7(5) \| SI-7(7) \| SI-7(8) \| SR-1 \| SR-10 \| SR-11 \| SR-11(1) \| SR-11(2) \| SR-11(3) \| SR-12 \| SR-2 \| SR-2(1) \| SR-3 \| SR-3(1) \| SR-3(2) \| SR-3(3) \| SR-4 \| SR-4(1) \| SR-4(2) \| SR-4(3) \| SR-4(4) \| SR-5 \| SR-5(1) \| SR-5(2) \| SR-6 \| SR-6(1) \| SR-7 \| SR-8 \| SR-9 \| SR-9(1)	5.2 \| 5.3 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.1 \| A.5.2 \| A.5.4 \| A.5.15 \| A.5.31 \| A.5.36 \| A.5.37 \| A.5.16 \| A.5.18 \| A.8.2 \| A.8.16 \| A.5.15 \| A.5.33 \| A.8.3 \| A.8.4 \| A.8.18 \| A.8.20 \| A.8.2 \| A.8.4 \| A.5.14 \| A.8.22 \| A.8.23 \| A.8.11 \| A.8.10 \| A.5.15 \| A.8.2 \| A.8.18 \| A.8.5 \| A.8.5 \| A.7.7 \| A.8.1 \| A.5.14 \| A.6.7 \| A.8.1 \| A.8.16 \| A.5.14 \| A.8.1 \| A.8.20 \| A.5.14 \| A.7.9 \| A.8.1 \| A.5.14 \| A.7.9 \| A.8.20 \| A.6.3 \| A.8.15 \| A.8.15 \| A.8.6 \| A.5.25 \| A.6.8 \| A.8.15 \| A.7.4 \| A.8.17 \| A.5.33 \| A.8.15 \| A.5.28 \| A.8.15 \| A.8.15 \| A.8.15 \| A.5.14 \| A.8.21 \| 9.1 \| 9.3.2 \| 9.3.3 \| A.5.36 \| 9.2.2 \| A.8.9 \| A.8.9 \| 8.1 \| 9.3.3 \| A.8.9 \| A.8.32 \| A.8.9 \| A.8.9 \| A.8.9 \| A.8.9 \| A.8.19 \| A.8.19 \| A.5.9 \| A.8.9 \| A.5.2 \| A.8.9 \| A.8.19 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.2 \| A.5.29 \| A.8.1 \| A.8.6 \| A.5.30 \| A.5.30 \| A.5.29 \| A.7.11 \| A.5.29 \| A.5.33 \| A.8.13 \| A.5.29 \| A.5.16 \| A.5.16 \| A.5.16 \| A.5.17 \| A.8.5 \| A.5.16 \| A.6.3 \| A.5.25 \| A.5.26 \| A.5.27 \| A.8.16 \| A.5.5 \| A.6.8 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.24 \| A.7.10 \| A.7.13 \| A.8.10 \| A.8.10 \| A.8.16 \| A.8.10 \| A.7.13 \| A.5.10 \| A.7.7 \| A.7.10 \| A.5.13 \| A.5.10 \| A.7.7 \| A.7.10 \| A.8.10 \| A.5.10 \| A.7.9 \| A.7.10 \| A.5.10 \| A.7.10 \| A.7.14 \| A.8.10 \| A.5.10 \| A.7.10 \| A.5.8 \| A.5.7 \| 4.4 \| 6.2 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| 10.2 \| 4.4 \| 6.2 \| 7.4 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| 9.1 \| 9.2.2 \| 10.1 \| 10.2 \| A.8.8 \| 6.1.3 \| 8.3 \| 10.2 \| A.5.22 \| A.5.7 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.33 \| 8.1 \| A.5.8 \| A.5.20 \| A.5.23 \| A.8.29 \| A.8.30 \| A.8.28 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.37 \| A.8.27 \| A.8.28 \| A.5.2 \| A.5.4 \| A.5.8 \| A.5.14 \| A.5.22 \| A.5.23 \| A.8.21 \| A.8.9 \| A.8.28 \| A.8.30 \| A.8.32 \| A.8.29 \| A.8.30 \| A.5.8 \| A.8.25 \| A.8.25 \| A.8.27 \| A.8.6 \| A.5.14 \| A.8.16 \| A.8.20 \| A.8.22 \| A.8.23 \| A.8.26 \| A.8.23 \| A.8.12 \| A.5.10 \| A.5.14 \| A.8.20 \| A.8.26 \| A.5.33 \| A.8.20 \| A.8.24 \| A.8.24 \| A.8.26 \| A.5.31 \| A.5.14 \| A.5.10 \| A.5.33 \| A.6.8 \| A.8.8 \| A.8.32 \| A.8.7 \| A.8.16 \| A.8.16 \| A.8.16 \| A.8.16 \| A.5.6 \| A.8.11 \| A.8.10 \| 5.2 \| 5.3 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.1 \| A.5.2 \| A.5.4 \| A.5.19 \| A.5.31 \| A.5.36 \| A.5.37 \| A.5.19 \| A.5.20 \| A.5.21 \| A.8.30 \| A.5.20 \| A.5.21 \| A.5.21 \| A.8.30 \| A.5.20 \| A.5.21 \| A.5.23 \| A.8.29 \| A.5.22 \| A.5.22	YES
CM0035	Protect Authenticators	Tier I	Protect authenticator content from unauthorized disclosure and modification.	AC-17(6) \| AC-3(11) \| CM-3(6) \| IA-4(9) \| IA-5 \| IA-5(6) \| PL-8 \| PL-8(1) \| SA-3 \| SA-4(5) \| SA-8 \| SA-8(13) \| SA-8(19) \| SC-16 \| SC-16(1) \| SC-8(1)	A.8.4 \| A.5.16 \| A.5.17 \| A.5.8 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28 \| A.5.33	YES
CM0053	Physical Security Controls	Tier II	Employ physical security controls (badge with pins, guards, gates, etc.) to prevent unauthorized access to the systems that have the ability to command the spacecraft.	AC-14 \| CA-3(6) \| CA-8 \| CA-8(1) \| CA-8(3) \| PE-2 \| PE-2(1) \| PE-2(3) \| PE-3 \| PE-3(1) \| PE-3(2) \| PE-3(3) \| PE-3(5) \| PE-3(7) \| SA-3 \| SA-8 \| SC-12(6) \| SC-51 \| SC-8(5) \| SR-11(2)	A.7.2 \| A.7.1 \| A.7.2 \| A.7.3 \| A.7.4 \| A.8.12 \| A.7.4 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28		YES

Priority 1	Priority 2	Priority 3	Priority 4
CWE-1391: Improperly Implemented Security Check for Standard	CWE-345: Insufficient Verification of Data Authenticity	CWE-200: Information Exposure	CWE-669: Incorrect Resource Transfer Between Spheres
CWE-287: Improper Authentication			CWE-913: Improper Control of Dynamically-Managed Code Resources
CWE-506: Embedded Malicious Code
CWE-732: Incorrect Permission Assignment for Critical Resource

Indicators of Behavior

ID	Name	Description	STIX Pattern
CSNE-11	Data Exfiltration Detected During Scheduled Communication Windows	Detection of larger-than-expected data packets sent during scheduled spacecraft communication windows, indicating that a compromised ground system may be exfiltrating data under the guise of legitimate operations.	[network-traffic:direction = 'downlink' AND network-traffic:data_size > 'expected_size']
CSNE-21	Unauthorized Data Transmission from Ground System to External IP	Detection of data transmissions originating from a compromised ground system to an external IP address not authorized for spacecraft operations, potentially indicating exfiltration of sensitive information.	[network-traffic:src_ref.role = 'ground_system' AND network-traffic:dst_ref.value != 'authorized_external_ip']
CSNE-23	Sudden Increase in Bandwidth Usage from Ground System	Detection of a sudden increase in network bandwidth usage from the ground system, which could indicate data exfiltration activities as threat actors attempt to move large amounts of information out of the compromised system.	[network-traffic:bandwidth_usage > 'expected_threshold' AND network-traffic:src_ref.role = 'ground_system']
SIUU-4	Abnormal Software Update Activity Detected	Detection of unauthorized or abnormal software update attempts, particularly affecting critical spacecraft subsystems or even FSW as a whole. This may be an indicator of an attacker exploiting a code flaw to introduce malicious code or manipulate software functionality.	[x-opencti-update-log:source != 'trusted_source' AND x-opencti-update-log:software_component = 'critical_subsystem']
SIUU-18	Suspicious Activity in Software Compilation or Build Process	Detection of suspicious activities or errors in the spacecraft software compilation process, potentially indicating tampering with source code or injecting malicious components into the compiled software before it is delivered to the spacecraft.	[x-opencti-build-log:process = 'compilation' AND x-opencti-build-log:result != 'expected']
SIUU-19	Unauthorized Modification of Source Code in Software Repository	Detection of unauthorized modifications to source code in a software repository used to develop or update spacecraft software, indicating potential code injection or manipulation in the supply chain to introduce malicious functionality.	[x-opencti-code-repository:commit_author != 'trusted_contributor' AND x-opencti-code-repository:code_change != 'expected']

Compromised Developer Site

Countermeasures

Related CWE Classes

Related Aerospace Threat ID

Related MITRE ATT&CK TTPs

Related ESA SPACE-SHIELD TTPs

Related MITRE EMB3D Threats

Related BSI Threats

Indicators of Behavior

References