REC-0005 |
Eavesdropping |
Threat actors may seek to capture network communications throughout the ground station and radio frequency (RF) communication used for uplink and downlink communications. RF communication frequencies vary between 30MHz and 60 GHz. Threat actors may capture RF communications using specialized hardware, such as software defined radio (SDR), handheld radio, or a computer with radio demodulator turned to the communication frequency. Network communications may be captured using packet capture software while the threat actor is on the target network. |
|
REC-0005.01 |
Uplink Intercept |
Threat actors may capture the RF communications as it pertains to the uplink to the victim SV. This information can contain commanding information that the threat actor can use to perform other attacks against the victim SV. |
|
REC-0005.02 |
Downlink Intercept |
Threat actors may capture the RF communications as it pertains to the downlink of the victim SV. This information can contain important telemetry such as onboard status and mission data. |
|
REC-0005.03 |
Proximity Operations |
Threat actors may capture signals and/or network communications as they travel on-board the vehicle (i.e., EMSEC/TEMPEST), via RF, or terrestrial networks. This information can be decoded to determine commanding and telemetry protocols, command times, and other information that could be used for future attacks. |
REC-0007 |
Monitor for Safe-Mode Indicators |
Threat actors may gather information regarding safe-mode indicators on the victim SV. Safe-mode is when all non-essential systems are shut down and only essential functions within the SV are active. During this mode, several commands are available to be processed that are not normally processed. Further, many protections may be disabled at this time. |
EX-0011 |
Exploit Reduced Protections During Safe-Mode |
Threat actors may take advantage of the victim SV being in safe mode and send malicious commands that may not otherwise be processed. Safe-mode is when all non-essential systems are shut down and only essential functions within the SV are active. During this mode, several commands are available to be processed that are not normally processed. Further, many protections may be disabled at this time. |
EX-0015 |
Side-Channel Attack |
Threat actors may use a side-channel attack attempts to gather information or influence the program execution of a system by measuring or exploiting indirect effects of the SV. Side-Channel attacks can be active or passive. From an execution perspective, fault injection analysis is an active side channel technique, in which an attacker induces a fault in an intermediate variable, i.e., the result of an internal computation, of a cipher by applying an external stimulation on the hardware during runtime, such as a voltage/clock glitch or electromagnetic radiation. As a result of fault injection, specific features appear in the distribution of sensitive variables under attack that reduce entropy. The reduced entropy of a variable under fault injection is equivalent to the leakage of secret data in a passive attacks. |
EXF-0002 |
Side-Channel Attack |
Threat actors may use a side-channel attack attempts to gather information by measuring or exploiting indirect effects of the SV. Information within the SV can be extracted through these side-channels in which sensor data is analyzed in non-trivial ways to recover subtle, hidden or unexpected information. A series of measurements of a side-channel constitute an identifiable signature which can then be matched against a signature database to identify target information, without having to explicitly decode the side-channel. |
EXF-0001 |
Replay |
Threat actors may exfiltrate data by replaying commands and capturing the telemetry or payload data as it is sent down. One scenario would be the threat actor replays commands to downlink payload data once SV is within certain location so the data can be intercepted on the downlink by threat actor ground terminals. |
EXF-0003 |
Eavesdropping |
Threat actors may seek to capture network communications throughout the ground station and communication channel (i.e. radio frequency, optical) used for uplink and downlink communications |
|
EXF-0003.01 |
Uplink Intercept |
Threat actors may target the uplink connection from the victim ground infrastructure to the target SV in order to exfiltrate commanding data. Depending on the implementation (i.e., encryption) the captured uplink data can be used to further other attacks like command link intrusion, replay, etc. |
|
EXF-0003.02 |
Downlink Intercept |
Threat actors may target the downlink connection from the victim SV in order to exfiltrate telemetry or payload data. This data can include health information of the SV or whatever mission data that is being collected/analyzed on the SV. |
EXF-0004 |
Out-of-Band Communications Link |
Threat actors may attempt to exfiltrate data via the out-of-band communication channels. While performing eavesdropping on the primary/second uplinks and downlinks is a method for exfiltration, some space vehicles leverage out-of-band communication links to perform actions on the space vehicle (i.e., re-keying). These out-of-band links would occur on completely different channels/frequencies and often operate on separate hardware on the space vehicle. Typically these out-of-band links have limited built-for-purpose functionality and likely do not present an initial access vector but they do provide ample exfiltration opportunity. |
EXF-0005 |
Proximity Operations |
Threat actors may leverage the lack of emission security or tempest controls to exfiltrate information using a visiting SV. This is similar to side-channel attacks but leveraging a visiting SV to measure the signals for decoding purposes. |
IMP-0006 |
Theft |
Threat actors may attempt to steal the data that is being gathered, processed, and sent from the victim SV. Many SVs have a particular purpose associated with them and the data they gather is deemed mission critical. By attempting to steal this data, the mission, or purpose, of the SV could be lost entirely. |