Exploit/Payload, Technique RD-0003.01

TECHNIQUES

SPARTA

Reconnaissance

Gather Spacecraft Design Information

Software

Firmware

Cryptographic Algorithms

Data Bus

Thermal Control System

Maneuver & Control

Payload

Power

Fault Management

Gather Spacecraft Descriptors

Identifiers

Organization

Operations

Gather Spacecraft Communications Information

Communications Equipment

Commanding Details

Mission-Specific Channel Scanning

Gather Launch Information

Flight Termination

Eavesdropping

Uplink Intercept

Downlink Intercept

Proximity Operations

Active Scanning (RF/Optical)

Gather FSW Development Information

Development Environment

Security Testing Tools

Monitor for Safe-Mode Indicators

Gather Supply Chain Information

Hardware

Software

Known Vulnerabilities

Business Relationships

Gather Mission Information

Resource Development

Acquire Infrastructure

Ground Station Equipment

Commercial Ground Station Services

Spacecraft

Compromise Infrastructure

Mission-Operated Ground System

3rd Party Ground System

3rd-Party Spacecraft

Obtain Capabilities

Exploit/Payload

Cryptographic Keys

Stage Capabilities

Identify/Select Delivery Mechanism

Upload Exploit/Payload

Initial Access

Compromise Supply Chain

Software Dependencies & Development Tools

Software Supply Chain

Hardware Supply Chain

Compromise Software Defined Radio

Crosslink via Compromised Neighbor

Secondary/Backup Communication Channel

Ground Station

Receiver

Rendezvous & Proximity Operations

Compromise Emanations

Docked Vehicle / OSAM

Proximity Grappling

Compromise Hosted Payload

Compromise Ground System

Compromise On-Orbit Update

Malicious Commanding via Valid GS

Rogue External Entity

Rogue Ground Station

Rogue Spacecraft

Trusted Relationship

Mission Collaborator (academia, international, etc.)

Vendor

User Segment

Exploit Reduced Protections During Safe-Mode

Auxiliary Device Compromise

Assembly, Test, and Launch Operation Compromise

Execution

Replay

Command Packets

Bus Traffic

Position, Navigation, and Timing (PNT) Geofencing

Modify Authentication Process

Compromise Boot Memory

Exploit Hardware/Firmware Corruption

Design Flaws

Malicious Use of Hardware Commands

Disable/Bypass Encryption

Trigger Single Event Upset

Time Synchronized Execution

Absolute Time Sequences

Relative Time Sequences

Exploit Code Flaws

Flight Software

Operating System

Known Vulnerability (COTS/FOSS)

Inject Malicious Code

Exploit Reduced Protections During Safe-Mode

Modify On-Board Values

Registers

Internal Routing Tables

Memory Write/Loads

App/Subscriber Tables

Scheduling Algorithm

Science/Payload Data

Propulsion Subsystem

Attitude Determination & Control Subsystem

Electrical Power Subsystem

Command & Data Handling Subsystem

Watchdog Timer (WDT)

System Clock

Poison AI/ML Training Data

Flooding

Valid Commands

Erroneous Input

Position, Navigation, and Timing (PNT)

Spoofing

Time Spoof

Bus Traffic

Sensor Data

Position, Navigation, and Timing (PNT)

Side-Channel Attack

Persistence

Memory Compromise

Backdoor

Hardware

Software

Ground System Presence

Replace Cryptographic Keys

Defense Evasion

Disable Fault Management

Prevent Downlink

Inhibit Ground System Functionality

Jam Link Signal

Inhibit Spacecraft Functionality

Modify On-Board Values

Vehicle Command Counter (VCC)

Rejected Command Counter

Command Receiver On/Off Mode

Command Receivers Received Signal Strength

Command Receiver Lock Modes

Telemetry Downlink Modes

Cryptographic Modes

Received Commands

System Clock

GPS Ephemeris

Watchdog Timer (WDT)

Poison AI/ML Training Data

Masquerading

Exploit Reduced Protections During Safe-Mode

Modify Whitelist

Rootkit

Bootkit

Lateral Movement

Hosted Payload

Exploit Lack of Bus Segregation

Constellation Hopping via Crosslink

Visiting Vehicle Interface(s)

Virtualization Escape

Exfiltration

Replay

Side-Channel Attack

Power Analysis Attacks

Electromagnetic Leakage Attacks

Traffic Analysis Attacks

Timing Attacks

Thermal Imaging attacks

Eavesdropping

Uplink Intercept

Downlink Intercept

Out-of-Band Communications Link

Proximity Operations

Modify Communications Configuration

Software Defined Radio

Transponder

Compromised Ground System

Compromised Developer Site

Compromised Partner Site

Payload Communication Channel

Impact

Deception (or Misdirection)

Disruption

Denial

Degradation

Destruction

Theft

Obtain Capabilities: Exploit/Payload

Threat actors may buy, steal, or download exploits and payloads that can be used for future campaigns or to perpetuate other techniques. An exploit/payload takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on the victim spacecraft's hardware, software, and/or subsystems. Rather than develop their own, threat actors may find/modify exploits from online or purchase them from exploit vendors.

Other Subtechniques of Obtain Capabilities ( 2 )

ID	Name
RD-0003.01	Exploit/Payload
RD-0003.02	Cryptographic Keys

ID: RD-0003.01

Sub-technique of: RD-0003

Related Aerospace Threat IDs: No related threat IDs

Related MITRE ATT&CK TTPs: T1588 | T1588.005

ⓘ

Tactic: Resource Development

Created: 2022/10/19

Last Modified: 2022/12/08

Countermeasures

ID		Name	Description	NIST Rev5
CM0009		Threat Intelligence Program	A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities and mitigate risk. Leverage all-source intelligence services or commercial satellite imagery to identify and track adversary infrastructure development/acquisition. Countermeasures for this attack fall outside the scope of the mission in the majority of cases.	PM-16 \| PM-16(1) \| PM-16(1) \| RA-10 \| RA-3(2) \| RA-3(3) \| SR-8

References

ViaSat, Inc., KA-SAT Network cyber attack overview, https://news.viasat.com/blog/corporate/ka-sat-network-cyber-attack-overview, 2022, Retrieved October 27, 2022.
Santamarta, R., VIASAT incident: from speculation to technical details, https://www.reversemode.com/2022/03/viasat-incident-from-speculation-to.html, 2022, Retrieved October 27, 2022.
Boschetti, Nicolò et. al.:Space Cybersecurity Lessons Learned from The ViaSat Cyberattack Url: https://www.researchgate.net/publication/363558808 October 2022, Retrieved October 27, 2022.
Guerrero-Saade, J. A., AcidRain
A Modem Wiper Rains Down on Europe, https://www.sentinelone.com/labs/acidrain-amodem- wiper-rains-down-on-europe/ , 2022, Retrieved October 27, 2022.