REC-0005 |
Eavesdropping |
Threat actors may seek to capture network communications throughout the ground station and radio frequency (RF) communication used for uplink and downlink communications. RF communication frequencies vary between 30MHz and 60 GHz. Threat actors may capture RF communications using specialized hardware, such as software defined radio (SDR), handheld radio, or a computer with radio demodulator turned to the communication frequency. Network communications may be captured using packet capture software while the threat actor is on the target network. |
|
REC-0005.01 |
Uplink Intercept |
Threat actors may capture the RF communications as it pertains to the uplink to the victim SV. This information can contain commanding information that the threat actor can use to perform other attacks against the victim SV. |
|
REC-0005.02 |
Downlink Intercept |
Threat actors may capture the RF communications as it pertains to the downlink of the victim SV. This information can contain important telemetry such as onboard status and mission data. |
|
REC-0005.03 |
Proximity Operations |
Threat actors may capture signals and/or network communications as they travel on-board the vehicle (i.e., EMSEC/TEMPEST), via RF, or terrestrial networks. This information can be decoded to determine commanding and telemetry protocols, command times, and other information that could be used for future attacks. |
IA-0003 |
Crosslink via Compromised Neighbor |
Threat actors may compromise a victim SV via the crosslink communications of a neighboring SV that has been compromised. SVs in close proximity are able to send commands back and forth. Threat actors may be able to leverage this access to compromise other SVs once they have access to another that is nearby. |
IA-0005 |
Rendezvous & Proximity Operations |
Threat actors may perform a space rendezvous which is a set of orbital maneuvers during which a spacecraft arrives at the same orbit and approach to a very close distance (e.g. within visual contact or close proximity) to a target SV. |
|
IA-0005.01 |
Compromise Emanations |
Threat actors in close proximity may intercept and analyze electromagnetic radiation emanating from cryptoequipment and/or the target SV (i.e., main bus) to determine whether the emanations are information bearing. The data could be used to establish initial access. |
|
IA-0005.02 |
Docked Vehicle / OSAM |
Threat actors may leverage docking vehicles to laterally move into a target SV. If information is known on docking plans, a threat actor may target vehicles on the ground or in space to deploy malware to laterally move or execute malware on the target SV via the docking interface. |
|
IA-0005.03 |
Proximity Grappling |
Threat actors may posses the capability to grapple target SVs once it has established the appropriate space rendezvous. If from a proximity / rendezvous perspective a threat actor has the ability to connect via docking interface or expose testing (i.e., JTAG port) once it has grappled the target SV, they could perform various attacks depending on the access enabled via the physical connection. |
IA-0008 |
Rogue External Entity |
Threat actors may gain access to a victim SV through the use of a rogue external entity. With this technique, the threat actor does not need access to a legitimate ground station or communication site. |
|
IA-0008.01 |
Rogue Ground Station |
Threat actors may gain access to a victim SV through the use of a rogue ground system. With this technique, the threat actor does not need access to a legitimate ground station or communication site. |
|
IA-0008.02 |
Rogue Spacecraft |
Threat actors may gain access to a target SV using their own SV that has the capability to maneuver within close proximity to a target SV to carry out a variety of TTPs (i.e., eavesdropping, side-channel, etc.). Since many of the commercial and military assets in space are tracked, and that information is publicly available, attackers can identify the location of space assets to infer the best positioning for intersecting orbits. Proximity operations support avoidance of the larger attenuation that would otherwise affect the signal when propagating long distances, or environmental circumstances that may present interference. |
IA-0010 |
Exploit Reduced Protections During Safe-Mode |
Threat actors may take advantage of the victim SV being in safe mode and send malicious commands that may not otherwise be processed. Safe-mode is when all non-essential systems are shut down and only essential functions within the SV are active. During this mode, several commands are available to be processed that are not normally processed. Further, many protections may be disabled at this time. |
EX-0001 |
Replay |
Replay attacks involve threat actors recording previously data streams and then resending them at a later time. This attack can be used to fingerprint systems, gain elevated privileges, or even cause a denial of service. |
|
EX-0001.01 |
Command Packets |
Threat actors may interact with the victim SV by replaying captured commands to the SV. While not necessarily malicious in nature, replayed commands can be used to overload the target SV and cause it's onboard systems to crash, perform a DoS attack, or monitor various responses by the SV. If critical commands are captured and replayed, thruster fires, then the impact could impact the SV's attitude control/orbit. |
EX-0003 |
Modify Authentication Process |
Threat actors may modify the internal authentication process of the victim SV to facilitate initial access, recurring execution, or prevent authorized entities from accessing the SV. This can be done through the modification of the software binaries or memory manipulation techniques. |
EX-0006 |
Disable/Bypass Encryption |
Threat actors may perform specific techniques in order to bypass or disable the encryption mechanism onboard the victim SV. By bypassing or disabling this particular mechanism, further tactics can be performed, such as Exfiltration, that may have not been possible with the internal encryption process in place. |
EX-0011 |
Exploit Reduced Protections During Safe-Mode |
Threat actors may take advantage of the victim SV being in safe mode and send malicious commands that may not otherwise be processed. Safe-mode is when all non-essential systems are shut down and only essential functions within the SV are active. During this mode, several commands are available to be processed that are not normally processed. Further, many protections may be disabled at this time. |
EXF-0002 |
Side-Channel Attack |
Threat actors may use a side-channel attack attempts to gather information by measuring or exploiting indirect effects of the SV. Information within the SV can be extracted through these side-channels in which sensor data is analyzed in non-trivial ways to recover subtle, hidden or unexpected information. A series of measurements of a side-channel constitute an identifiable signature which can then be matched against a signature database to identify target information, without having to explicitly decode the side-channel. |
|
EXF-0002.04 |
Timing Attacks |
Threat actors can leverage timing attacks to exfiltrate information due to variances in the execution timing for different sub-systems in the spacecraft (i.e., cryptosystem). In spacecraft, due to the utilization of processors with lower processing powers (i.e. slow), this becomes all the more important because slower processors will enhance even small difference in computation time. Every operation in a spacecraft takes time to execute, and the time can differ based on the input; with precise measurements of the time for each operation, a threat actor can work backwards to the input. Finding secrets through timing information may be significantly easier than using cryptanalysis of known plaintext, ciphertext pairs. Sometimes timing information is combined with cryptanalysis to increase the rate of information leakage. |
EXF-0001 |
Replay |
Threat actors may exfiltrate data by replaying commands and capturing the telemetry or payload data as it is sent down. One scenario would be the threat actor replays commands to downlink payload data once SV is within certain location so the data can be intercepted on the downlink by threat actor ground terminals. |
EXF-0003 |
Eavesdropping |
Threat actors may seek to capture network communications throughout the ground station and communication channel (i.e. radio frequency, optical) used for uplink and downlink communications |
|
EXF-0003.01 |
Uplink Intercept |
Threat actors may target the uplink connection from the victim ground infrastructure to the target SV in order to exfiltrate commanding data. Depending on the implementation (i.e., encryption) the captured uplink data can be used to further other attacks like command link intrusion, replay, etc. |
|
EXF-0003.02 |
Downlink Intercept |
Threat actors may target the downlink connection from the victim SV in order to exfiltrate telemetry or payload data. This data can include health information of the SV or whatever mission data that is being collected/analyzed on the SV. |
EXF-0004 |
Out-of-Band Communications Link |
Threat actors may attempt to exfiltrate data via the out-of-band communication channels. While performing eavesdropping on the primary/second uplinks and downlinks is a method for exfiltration, some space vehicles leverage out-of-band communication links to perform actions on the space vehicle (i.e., re-keying). These out-of-band links would occur on completely different channels/frequencies and often operate on separate hardware on the space vehicle. Typically these out-of-band links have limited built-for-purpose functionality and likely do not present an initial access vector but they do provide ample exfiltration opportunity. |
EXF-0005 |
Proximity Operations |
Threat actors may leverage the lack of emission security or tempest controls to exfiltrate information using a visiting SV. This is similar to side-channel attacks but leveraging a visiting SV to measure the signals for decoding purposes. |
EXF-0007 |
Compromised Ground Station |
Threat actors may compromise target owned ground systems that can be used for future campaigns or to perpetuate other techniques. These ground systems have already been configured for communications to the victim SV. By compromising this infrastructure, threat actors can stage, launch, and execute an operation. Threat actors may utilize these systems for various tasks, including Execution and Exfiltration. |
EXF-0008 |
Compromised Developer Site |
Threat actors may compromise development environments located within the ground system or a developer/partner site. This attack can take place in a number of different ways, including manipulation of source code, manipulating environment variables, or replacing compiled versions with a malicious one. This technique is usually performed before the target SV is in orbit, with the hopes of adding malicious code to the actual FSW during the development process. |
PER-0004 |
Replace Cryptographic Keys |
Threat actors may attempt to fully replace the cryptographic keys on the space vehicle which could lockout the mission operators and enable the threat actor's communication channel. Once the encryption key is changed on the space vehicle, the SV is rendered inoperable from the operators perspective as they have lost commanding access. Threat actors may exploit weaknesses in the key management strategy. For example, the threat actor may exploit the over-the-air rekeying procedures to inject their own cryptographic keys. |
DE-0002 |
Prevent Downlink |
Threat actors may target the downlink connections to prevent the victim SV from sending telemetry to the ground controllers. Telemetry is the only method in which ground controllers can monitor the health and stability of the SV while in orbit. By disabling this downlink, threat actors may be able to stop mitigations from taking place. |
|
DE-0002.02 |
Jam Link Signal |
Threat actors may overwhelm/jam the downlink signal to prevent transmitted telemetry signals from reaching their destination without severe modification/interference, effectively leaving ground controllers unaware of vehicle activity during this time. Telemetry is the only method in which ground controllers can monitor the health and stability of the SV while in orbit. By disabling this downlink, threat actors may be able to stop mitigations from taking place. |
DE-0004 |
Masquerading |
Threat actors may gain access to a victim SV by masquerading as an authorized entity. This can be done several ways, including through the manipulation of command headers, spoofing locations, or even leveraging Insider's access (i.e., Insider Threat) |
DE-0005 |
Exploit Reduced Protections During Safe-Mode |
Threat actors may take advantage of the victim SV being in safe mode and send malicious commands that may not otherwise be processed. Safe-mode is when all non-essential systems are shut down and only essential functions within the SV are active. During this mode, several commands are available to be processed that are not normally processed. Further, many protections (i.e. security features) may be disabled at this time which would ensure the threat actor achieves evasion. |
LM-0003 |
Constellation Hopping via Crosslink |
Threat actors may attempt to command another neighboring spacecraft via crosslink. SVs in close proximity are often able to send commands back and forth. Threat actors may be able to leverage this access to compromise another SV. |
LM-0004 |
Visiting Vehicle Interface(s) |
Threat actors may move to other SVs through visiting vehicle interfaces. When a vehicle docks with a SV, many programs are automatically triggered in order to ensure docking mechanisms are locked. This entails several data points and commands being sent to and from the SV and the visiting vehicle. If a threat actor were to compromise a visiting vehicle, they could target these specific programs in order to send malicious commands to the victim SV once docked. |