Threat actors obtain or adapt exploits (the trigger) and payloads (the action after exploitation) for space, ground, and cloud components. Targets include flight software parsers and table loaders, bootloaders and patch/update handlers, bus gateways, payload controllers, and ground services. Payloads may be binaries, scripts, or command/procedure sequences that alter modes, bypass FDIR, or stage follow-on access; they can also be “data payloads” that exploit weak validation (malformed tables, ephemeris, or calibration products). Acquisition paths mirror the broader market, brokered N-day/0-day packages, open-source exploits re-tooled for mission stacks, and theft from vendors or researchers. Actors tune timing, size/rate limits, and anti-replay nuances so delivery fits pass windows and link budgets, and they rehearse on flatsats to achieve deterministic outcomes.
| ID | Name | Tiering | Description | NIST Rev5 | ISO 27001 | Onboard SV | Ground | |
| CM0009 | Threat Intelligence Program | A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities and mitigate risk. Leverage all-source intelligence services or commercial satellite imagery to identify and track adversary infrastructure development/acquisition. Countermeasures for this attack fall outside the scope of the mission in the majority of cases. | PM-16 PM-16(1) RA-10 RA-3 RA-3(2) RA-3(3) SA-3 SA-8 SI-4(24) SR-8 | A.5.7 A.5.7 6.1.2 8.2 9.3.2 A.8.8 A.5.7 A.5.2 A.5.8 A.8.25 A.8.31 A.8.27 A.8.28 | ||||