Save this assessment as a PDF using your browser’s print dialog.

← Back to module
Full Spectrum Space Cybersecurity Professional

Composite OSINT Threat Assessment

Potential Attacks Against the Reference Satellite, by Segment

This assessment characterizes the current threat picture across the platform’s four operational enclaves (Space, Link, Ground, User). For each enclave, the report identifies the potential attacks the platform faces and the subsystems each attack would touch.

SPACE
4
Threats
LINK
3
Threats
GROUND
5
Threats
USER
2
Threats
Exported by verifying identity…
Exported at
Classification TLP:GREEN · SCORP² community only
Distribution Internal cohort and confirmed instructors only
TLP:GREEN SCORP² community only · do not redistribute outside cohort
Exported by: Exported at: Distribution: Internal cohort + confirmed instructors
If you received this file from outside the cohort, please notify william.o.ferguson@ethicallyhacking.space and delete it.
About this assessment. Composite OSINT assessment synthesized from publicly reported space-system incidents and adversary profiles. All sources open-source; no proprietary feed is reproduced. Methodology and source list available on request.

Report Structure

Each enclave is presented in two parts: a narrative of the current threat picture, followed by a table of potential attacks and the subsystems each would touch.

01Space, Threat Narrative

SPACE
On-orbit platform and payload subsystems

Picture. State-linked actors have shown the most willingness to put on-orbit platforms at risk. Three patterns dominate public reporting: destructive intent against the bus, integrity attacks against the command path, and supply-chain firmware compromise pre-launch. A fourth, less common, is payload-data tampering.

Working hypotheses. Destructive actors target attitude and power. Integrity actors target C&DH and crypto. Supply-chain actors ride in firmware (FTS, thermal, EPS) and wait for a trigger. Payload tampering targets the data plane between the instrument and the downlink encryptor.

Platform subsystems each potential attack would touch

ThreatServices touchedHardware / firmware / data touched
Destructive bus attack Attitude determination & control, electrical power management, flight termination. ADCS sensors and flight software, power chain (solar arrays, battery, PCDU), FTS receiver and firmware.
Command-path integrity attack Command & Data Handling (C&DH), space-side cryptography. Every commanding-path component bound to C&DH and the space-side crypto service.
Pre-launch supply-chain firmware compromise Flight termination, thermal control, power management. FTS firmware and any other firmware-bearing hardware ingested through the same supply path.
Payload-data tampering Mission downlink / uplink data plane, payload data plane. Payload-side hardware and software between the science instrument and the downlink encryptor.

02Link, Threat Narrative

LINK
The RF and optical signal path between Space and Ground

Picture. The link is where state-linked RF actors operate most visibly: sustained jamming campaigns, pass-timed uplink interference, and replay-and-spoof against the command waveform. Adversaries can degrade mission product here without touching ground or space.

Working hypotheses. Jamming actors prefer the downlink (slower to detect than uplink failure). Spoofing actors pair with credential or session-key theft. Interference operators time passes; persistent campaigns rotate frequency to evade single-source mitigations.

Platform subsystems each potential attack would touch

ThreatServices touchedHardware / firmware / data touched
Jamming campaign Link-side communications serving the downlink and uplink bands. The waveforms in those bands; antenna and modem hardware on both ends of the link.
Replay-and-spoof attack on the uplink Command & Data Handling (space side), space-side and ground-side cryptography. The uplink command waveform itself; cryptographic key material on both ends of the link.
Downlink interception Mission downlink data plane, payload data plane. The downlink waveform; mission and payload data traversing the link.

03Ground, Threat Narrative

GROUND
Mission operations, command authority, cryptography, launch control

Picture. Ground hosts the largest population of adversaries: nation-state long-dwell intruders, criminal credential-theft actors, privileged insiders, persistent ground-network pivoters, and ransomware actors targeting launch and mission ops.

Working hypotheses. Long-dwell intruders target ground crypto and the mission ops network. Credential theft targets operator and service accounts. Insiders sit on commanding workstations. Pivoters move operator-network → mission control. Ransomware’s highest-impact path runs through launch control.

Platform subsystems each potential attack would touch

ThreatServices touchedHardware / firmware / data touched
Long-dwell network intrusion Ground-side cryptography, mission operations, command authority. Mission ops network equipment, command authority application, ground cryptographic key material.
Operator credential theft Ground-station operations, mission operations. Operator credentials and ground-station service-account credentials.
Privileged insider misuse Command authority, mission operations. Commanding workstations (hardware and software), audit logs.
Lateral movement into mission control Operator network, mission operations. Operator workstations, mission-control hosts and their software.
Ransomware against launch infrastructure Launch control, mission operations. Launch control hardware and software; co-resident operator backup data.

04User, Threat Narrative

USER
Operator consoles and end-user applications that consume mission product

Picture. Few threats, but high-consequence: the user side is what shapes operator and customer decisions. Two patterns matter: tampering with end-user applications (distorting what the operator sees), and credential harvesting against operator consoles.

Working hypotheses. Application tamperers go for the app and the data it displays (degrading downlink trust without touching the bird). Credential actors go for the console’s auth path and any cached credential or session data.

Platform subsystems each potential attack would touch

ThreatServices touchedHardware / firmware / data touched
End-user application tampering End-user application, mission product display. End-user application software, displayed mission product.
Operator console credential theft Operator console, authentication service for the console. Console workstation hardware and software, cached credentials and session tokens.

Analyst Summary

Ground dominates the picture: state-linked long-dwell intrusions and credential-theft actors operate the most visibly. Space is shaped by destructive intent against bus subsystems and pre-launch firmware compromise. Link faces jamming, replay-and-spoof, and downlink interception. User is small in volume, high in consequence.

Recommendations. Prioritize ground-segment hardening given the volume and persistence of known actors. Treat the per-enclave threat tables as input to existing detection, response, and resilience planning. Refresh this baseline at quarterly intervals or after a significant change to publicly reported adversary capability.