Theft, Technique IMP-0006

TECHNIQUES

SPARTA

Reconnaissance

Gather Spacecraft Design Information

Software

Firmware

Cryptographic Algorithms

Data Bus

Thermal Control System

Maneuver & Control

Payload

Power

Fault Management

Gather Spacecraft Descriptors

Identifiers

Organization

Operations

Gather Spacecraft Communications Information

Communications Equipment

Commanding Details

Mission-Specific Channel Scanning

Valid Credentials

Gather Launch Information

Flight Termination

Eavesdropping

Uplink Intercept

Downlink Intercept

Proximity Operations

Active Scanning (RF/Optical)

Gather FSW Development Information

Development Environment

Security Testing Tools

Monitor for Safe-Mode Indicators

Gather Supply Chain Information

Hardware

Software

Known Vulnerabilities

Business Relationships

Gather Mission Information

Resource Development

Acquire Infrastructure

Ground Station Equipment

Commercial Ground Station Services

Spacecraft

Launch Facility

Compromise Infrastructure

Mission-Operated Ground System

3rd Party Ground System

3rd-Party Spacecraft

Obtain Cyber Capabilities

Exploit/Payload

Cryptographic Keys

Obtain Non-Cyber Capabilities

Launch Services

Non-Kinetic Physical ASAT

Kinetic Physical ASAT

Electronic ASAT

Stage Capabilities

Identify/Select Delivery Mechanism

Upload Exploit/Payload

Initial Access

Compromise Supply Chain

Software Dependencies & Development Tools

Software Supply Chain

Hardware Supply Chain

Compromise Software Defined Radio

Crosslink via Compromised Neighbor

Secondary/Backup Communication Channel

Ground Station

Receiver

Rendezvous & Proximity Operations

Compromise Emanations

Docked Vehicle / OSAM

Proximity Grappling

Compromise Hosted Payload

Compromise Ground System

Compromise On-Orbit Update

Malicious Commanding via Valid GS

Rogue External Entity

Rogue Ground Station

Rogue Spacecraft

ASAT/Counterspace Weapon

Trusted Relationship

Mission Collaborator (academia, international, etc.)

Vendor

User Segment

Exploit Reduced Protections During Safe-Mode

Auxiliary Device Compromise

Assembly, Test, and Launch Operation Compromise

Execution

Replay

Command Packets

Bus Traffic

Position, Navigation, and Timing (PNT) Geofencing

Modify Authentication Process

Compromise Boot Memory

Exploit Hardware/Firmware Corruption

Design Flaws

Malicious Use of Hardware Commands

Disable/Bypass Encryption

Trigger Single Event Upset

Time Synchronized Execution

Absolute Time Sequences

Relative Time Sequences

Exploit Code Flaws

Flight Software

Operating System

Known Vulnerability (COTS/FOSS)

Malicious Code

Ransomware

Wiper Malware

Rootkit

Bootkit

Exploit Reduced Protections During Safe-Mode

Modify On-Board Values

Registers

Internal Routing Tables

Memory Write/Loads

App/Subscriber Tables

Scheduling Algorithm

Science/Payload Data

Propulsion Subsystem

Attitude Determination & Control Subsystem

Electrical Power Subsystem

Command & Data Handling Subsystem

Watchdog Timer (WDT)

System Clock

Poison AI/ML Training Data

Flooding

Valid Commands

Erroneous Input

Jamming

Position, Navigation, and Timing (PNT)

Uplink Jamming

Downlink Jamming

Spoofing

Time Spoof

Bus Traffic

Sensor Data

Position, Navigation, and Timing (PNT)

Ballistic Missile Spoof

Side-Channel Attack

Kinetic Physical Attack

Direct Ascent ASAT

Co-Orbital ASAT

Non-Kinetic Physical Attack

Electromagnetic Pulse (EMP)

High-Powered Laser

High-Powered Microwave

Persistence

Memory Compromise

Backdoor

Hardware

Software

Ground System Presence

Replace Cryptographic Keys

Valid Credentials

Defense Evasion

Disable Fault Management

Prevent Downlink

Inhibit Ground System Functionality

Jam Link Signal

Inhibit Spacecraft Functionality

Modify On-Board Values

Vehicle Command Counter (VCC)

Rejected Command Counter

Command Receiver On/Off Mode

Command Receivers Received Signal Strength

Command Receiver Lock Modes

Telemetry Downlink Modes

Cryptographic Modes

Received Commands

System Clock

GPS Ephemeris

Watchdog Timer (WDT)

Poison AI/ML Training Data

Masquerading

Exploit Reduced Protections During Safe-Mode

Modify Whitelist

Rootkit

Bootkit

Camouflage, Concealment, and Decoys (CCD)

Debris Field

Space Weather

Trigger Premature Intercept

Overflow Audit Log

Valid Credentials

Lateral Movement

Hosted Payload

Exploit Lack of Bus Segregation

Constellation Hopping via Crosslink

Visiting Vehicle Interface(s)

Virtualization Escape

Launch Vehicle Interface

Rideshare Payload

Valid Credentials

Exfiltration

Replay

Side-Channel Attack

Power Analysis Attacks

Electromagnetic Leakage Attacks

Traffic Analysis Attacks

Timing Attacks

Thermal Imaging attacks

Eavesdropping

Uplink Intercept

Downlink Intercept

Out-of-Band Communications Link

Proximity Operations

Modify Communications Configuration

Software Defined Radio

Transponder

Compromised Ground System

Compromised Developer Site

Compromised Partner Site

Payload Communication Channel

Impact

Deception (or Misdirection)

Disruption

Denial

Degradation

Destruction

Theft

Threat actors may attempt to steal the data that is being gathered, processed, and sent from the victim spacecraft. Many spacecraft have a particular purpose associated with them and the data they gather is deemed mission critical. By attempting to steal this data, the mission, or purpose, of the spacecraft could be lost entirely.

ID: IMP-0006

Sub-techniques: No sub-techniques

Notional Risk (H | M | L): This TTP is not scored

Related MITRE ATT&CK TTPs: No related MITRE ATT&CK TTPs

Related ESA SPACE-SHIELD TTPs: No related Spaceshield TTPs

ⓘ

Tactic: Impact

Created: 2022/10/19

Last Modified: 2023/07/18

Countermeasures

ID		Name	Description	NIST Rev5	D3FEND	ISO 27001
CM0000		Countermeasure Not Identified	This technique is a result of utilizing TTPs to create an impact and the applicable countermeasures are associated with the TTPs leveraged to achieve the impact	None	None	None

References

Epstein, Keith and Elgin, Ben. (2008). Tech - Network security breaches & NASA (V.G.Read). Retrieved on February 17, 2013, from http://spoonfeedin.blogspot.com.au/2008/11/tech-network-security-breachesnasa.Html
Thornburgh, Nathan. (2005). The Invasion of the Chinese Cyberspies. Retrieved on March 28, 2013, from http://www.time.com/time/magazine/article/0,9171,1098961,00.html
Martin, P. K.:NASA Cybersecurity: An Examination of the Agency’s Information Security In: Testimony before the Subcommittee on Investigations and Oversight, House Committee on Science, Space, and Technology February 2012 Url:https://oig.nasa.gov/docs/FINAL_written_statement_for_%20IT_%20hearing_February_26_edit_v2.pdf Retrieved 08/07/2019
Leyden, J.: Royal Navy hacker claims to have broken into space agency site Url: https://www.theregister.co.uk/2011/04/18/esa_website_hack/ Retrieved 08/07/2019
Storm, D.:Attackers hack European Space Agency, leak thousands of credentials 'for the lulz' Url: https://www.computerworld.com/article/3014539/attackers-hack-european-space-agency-leak-thousands-of-credentials-for-the-lulz.html December 2014 Retrieved 09/07/2019
Thomson, I.:Hackers mirror 250GB of NASA files on the web Url: https://www.theregister.co.uk/2016/02/01/250gb_nasa_data_hacked/ February 2016 Retrieved 09/07/2019
Williams, C: Houston, we've had a problem: NASA fears internal server hacked, staff personal info swiped by miscreants Url: https://www.theregister.co.uk/2018/12/18/nasa_server_hack/ December 2018 Retrieved 09/07/2019
spaceref.com: Potential Personally Identifiable Information (PII ) Compromise of NASA Servers Url: http://spaceref.com/news/viewsr.html?pid=52074 December 2018 Retrieved 09/07/2019
Cappaccio, Tony and Bliss, Jeff: China Suspected in Attacks on U.S. Satellities October 27 2011
Windsor, C., Malicious Actor Discloses FortiGate SSL-VPN Credentials, https://www.fortinet.com/blog/psirt-blogs/maliciousactor-discloses-fortigate-ssl-vpn-credentials, 2021, Retrieved October 27, 2022.
Abrams, L., Hackers leak passwords for 500,000 Fortinet VPN accounts, https://www.bleepingcomputer.com/news/security/hackers-leak-passwords-for-500-000-fortinet-vpn-accounts/ , 2021, Retrieved October 27, 2022.
https://cromulence.com/blog/hack-a-sat-2022-finals-teams-on-the-attack
https://www.clarin.com/tecnologia/publican-parte-datos-robados-arsat-luego-encriptados-grupo-ransomware_0_6shfcu8Yhq.html
https://www.cyberscoop.com/apt28-fancy-bear-satellite/
https://asec.ahnlab.com/ko/48416/
https://www.forbes.com/sites/firewall/2010/09/29/did-the-stuxnet-worm-kill-indias-insat-4b-satellite/?sh=828fe1b127d2