Full Spectrum Space Cybersecurity Professional
Day 3 Enumerated Attack Paths
14 AN-ATT ETENs, One per Threat, Walked with SatDev/Eng
Fourteen attack paths against the platform. Each entry’s TOE chain names the services and assets the attacker would touch in order; each entry cites the public reporting or framework reference the path is anchored to.
Cumulative Decomposition Diagram
The complete artifact stack against the reference platform as of end of this module. New layer added this module is highlighted; prior layers show as context.
How to Read
Each entry is one AN-ATT (attack path). The ID is the AN:ATT:Attack Path:ORDINAL identifier. The Description narrates the path end to end. Driven by links the path to its parent AN-THR. TOE chain names every service and asset the attacker touches in traversal order. Source cites the public reporting the path is anchored to. Confidence is a one-line analyst assessment of how strongly the path is supported by the public record.
USER User Segment, 2 AN-ATT
ID AN-ATT ETEN
AN-ATT:00 Operator-console credential theft via spear-phishing or credential stuffing.Driven by AN:THR:Threat:01 (Console credential theft) TOE chain SEG:US:User:00 → SVC:CP:Control Plane:13 → AST:HW:Hardware:04 → AST:DA:Data:03 → SVC:CP:Control Plane:15 Steps AST:HW:Hardware:04, Compromise of console workstation via credential theft or session hijack.AST:SW:Software:04, Console operator software is launched with attacker credentials.SVC:CP:Control Plane:15, User-side access control authority issues a session.SVC:CP:Control Plane:13, Console operations service accepts the session and the operator can command.Data and Signal Source Inventory Path Step (TOE) Required Data / Signal Source Status on Platform AST:HW:Hardware:04Workstation authentication telemetry; console-host EDR events. Available; src-edr-console-001. AST:SW:Software:04Console operator software audit log; process-start events. Available; src-console-sw-002. SVC:CP:Control Plane:15User-side access control authority sign-in event stream. Available; src-idp-user-003. SVC:CP:Control Plane:13Console operations command audit; per-session command log. Available; src-console-ops-004.
Source Industry-reported credential-theft patterns against operator workstations. Confidence Medium. Pattern widely reported in enterprise IT.
AN-ATT:01 End-user application tampering via supply-chain compromise.Driven by AN:THR:Threat:00 (End-user application tampering) TOE chain SEG:US:User:00 → AST:SW:Software:08 → SVC:DP:Data Plane:02 → AST:DA:Data:04 Steps AST:SW:Software:08, Adversary replaces or modifies the end-user application binary.AST:DA:Data:04, Tampered application produces or modifies mission product data.SVC:DP:Data Plane:02, Modified product is presented to the user.Data and Signal Source Inventory Path Step (TOE) Required Data / Signal Source Status on Platform AST:SW:Software:08File-integrity-monitoring events; code-signing verification result. Available; src-fim-user-005. AST:DA:Data:04Mission-product data integrity log; per-product hash record. Available; src-mission-prod-006. SVC:DP:Data Plane:02User application data-plane audit; presentation-layer event stream. Available; src-user-dp-007.
Source SolarWinds Orion compromise (2020, CISA AA20-352A). Confidence Medium. Satellite-app analogue inferred from IT supply-chain pattern.
GROUND Ground Segment, 5 AN-ATT
ID AN-ATT ETEN
AN-ATT:02 Mass modem firmware-wipe via management-plane abuse: external VPN appliance compromise → management network access → abuse of the modem management interface → push of a wiper as firmware update → modem flash and SPI EEPROM overwritten.Driven by AN:THR:Threat:02 (Long-dwell ground-network intrusion) TOE chain SEG:GR:Ground:00 → SVC:CP:Control Plane:08 → SVC:CP:Control Plane:09 → AST:SW:Software:02 → AST:DA:Data:01 → AST:DA:Data:02 → AST:SW:Software:03 Steps SEG:GR:Ground:00, Compromise of external VPN appliance facing the management network.SVC:CP:Control Plane:08, Pivot into ground crypto / management control plane using VPN-derived credentials.SVC:CP:Control Plane:09, Ground access control authority issues subscriber-modem privileges.AST:SW:Software:03, Patch deployment software stages the wiper as a firmware update payload.AST:DA:Data:02, Patch binary store holds the malicious payload that will be pushed.AST:FW:Firmware:00, Modems flash the payload over their firmware.Data and Signal Source Inventory Path Step (TOE) Required Data / Signal Source Status on Platform SEG:GR:Ground:00VPN appliance auth and session telemetry; egress NetFlow from the management subnet. Available; src-vpn-008. SVC:CP:Control Plane:08Ground-crypto authentication audit; management-plane authentication audit log. Available; src-mgmt-cp-009. SVC:CP:Control Plane:09Ground access control authority sign-in log; per-session command audit. Available; src-ground-aca-010. AST:SW:Software:03Patch-deployment software command audit; firmware-update API call log including payload hash. Available; src-patch-sw-011. AST:DA:Data:02Patch-binary hash audit; signed-manifest verification result. Available; src-patch-bin-012. AST:FW:Firmware:00Per-modem flash-write event with hash; signed-update verification result. Available; src-modem-fw-013.
Source Viasat post-incident report (30 March 2022); CISA AA22-110A; SentinelLabs AcidRain analysis. KA-SAT outage 24 Feb 2022. Confidence High. Matches the public reconstruction of the KA-SAT outage.
AN-ATT:03 Operator credential theft via phishing or credential stuffing on ground-station service accounts.Driven by AN:THR:Threat:03 (Operator credential theft) TOE chain SEG:GR:Ground:00 → AST:DA:Data:01 → SVC:CP:Control Plane:09 → SVC:CP:Control Plane:13 Steps AST:DA:Data:01, Operator credentials are stolen via phishing or replay.SVC:CP:Control Plane:09, Ground access control authority authenticates the stolen credentials.Data and Signal Source Inventory Path Step (TOE) Required Data / Signal Source Status on Platform AST:DA:Data:01Credential-store auth audit; impossible-travel detector input. Available; src-cred-audit-014. SVC:CP:Control Plane:09Identity-provider sign-in event stream; geolocation and device-fingerprint telemetry. Available; src-idp-ground-015.
Source MITRE ATT&CK T1078 (Valid Accounts). Confidence Medium. Per-operator details non-public.
AN-ATT:04 Privileged insider with command authority issues unauthorized commands directly from a commanding workstation.Driven by AN:THR:Threat:04 (Privileged insider misuse) TOE chain SEG:GR:Ground:00 → AST:HW:Hardware:04 → AST:SW:Software:04 → SVC:CP:Control Plane:13 → SVC:CP:Control Plane:09 Steps AST:HW:Hardware:04, Insider with legitimate access uses the operator console.AST:SW:Software:04, Console operator software issues high-impact commands without peer review.SVC:CP:Control Plane:13, Console operations service executes the commands.Data and Signal Source Inventory Path Step (TOE) Required Data / Signal Source Status on Platform AST:HW:Hardware:04Per-operator console-usage stream; workstation EDR baseline. Available; src-console-baseline-016. AST:SW:Software:04Console operator software command audit; peer-review tag stream. Partial; peer-review tag stream depends on workflow adoption. Owner: SOC ops. SVC:CP:Control Plane:13Console operations command audit; per-command cadence baseline. Available; src-console-ops-017.
Source MITRE ATT&CK T1078.003; NIST SP 800-53 PS-7. Confidence Medium. Insider patterns well-documented.
AN-ATT:05 Lateral movement from compromised operator workstation through the operator network into mission-control hosts.Driven by AN:THR:Threat:05 (Lateral movement to mission control) TOE chain SEG:GR:Ground:00 → AST:HW:Hardware:04 → AST:SW:Software:04 → SVC:CP:Control Plane:13 → SVC:CP:Control Plane:09 Steps AST:HW:Hardware:04, Compromised operator workstation initiates east-west connections.SVC:CP:Control Plane:13, Console operations host receives connections outside the allow-list.Data and Signal Source Inventory Path Step (TOE) Required Data / Signal Source Status on Platform AST:HW:Hardware:04Workstation connection logs; EDR process-network event stream. Available; src-edr-net-018. SVC:CP:Control Plane:13East-west network flow telemetry; allow-list configuration source. Available; src-netflow-mc-019.
Source MITRE ATT&CK TA0008 (Lateral Movement). Confidence Medium. Pattern enterprise-standard.
AN-ATT:06 Ransomware against the launch-control / patch-deployment pipeline.Driven by AN:THR:Threat:06 (Ransomware against launch infrastructure) TOE chain SEG:GR:Ground:00 → SVC:CP:Control Plane:10 → SVC:CP:Control Plane:12 → AST:DA:Data:02 → AST:SW:Software:03 Steps SEG:GR:Ground:00, Ransomware actor obtains foothold on ground infrastructure.SVC:CP:Control Plane:10, Mass-encryption activity hits launch-control file systems.AST:DA:Data:02, Patch binary store is encrypted, breaking the deployment pipeline.SVC:CP:Control Plane:12, Patch-update service cannot ship to the platform.Data and Signal Source Inventory Path Step (TOE) Required Data / Signal Source Status on Platform SEG:GR:Ground:00Initial-access telemetry: VPN auth, phishing-click, public-facing service auth log. Available; src-init-access-020. SVC:CP:Control Plane:10Launch-control host FIM; entropy-shift indicator stream. Available; src-fim-launch-021. AST:DA:Data:02Patch-binary integrity stream; backup-system event audit. Available; src-patch-integrity-022. SVC:CP:Control Plane:12Patch-update service availability monitor; dispatch-failure event stream. Available; src-patch-svc-023.
Source CISA Stop Ransomware advisories. Confidence Medium. Ransomware well-documented in IT; satellite launch-control incidents rare.
LINK Link Segment, 3 AN-ATT
ID AN-ATT ETEN
AN-ATT:07 Sustained RF noise injection across uplink/downlink bands.Driven by AN:THR:Threat:07 (Jamming campaign) TOE chain SEG:LI:Link:00 → SVC:CP:Control Plane:05 → SVC:HY:Hybrid:01 → SVC:HY:Hybrid:02 → AST:SI:Signal:00 Steps AST:SI:Signal:00, Adversary radiates interference across uplink or downlink bands.SVC:HY:Hybrid:02, Tracking service sees sustained noise-floor anomaly.SVC:CP:Control Plane:05, Link access control authority logs degraded authentication outcomes.Data and Signal Source Inventory Path Step (TOE) Required Data / Signal Source Status on Platform AST:SI:Signal:00Per-band SNR and BER telemetry from the ground receiver. Available; src-rx-rf-024. SVC:HY:Hybrid:02Tracking noise-floor stream; out-of-band emission monitor. Available; src-tnt-noise-025. SVC:CP:Control Plane:05Link ACA failure-rate stream; space-weather correlation feed. Available; src-link-aca-026.
Source Reported jamming during Russia–Ukraine conflict (2022–2024); ITU interference reports. Confidence High. Directly reported.
AN-ATT:08 Replay-and-spoof against the uplink command waveform paired with stolen session keys.Driven by AN:THR:Threat:08 (Replay-and-spoof on uplink) TOE chain SEG:LI:Link:00 → AST:SI:Signal:00 → AST:DA:Data:00 → SVC:CP:Control Plane:05 → SVC:CP:Control Plane:09 Steps AST:DA:Data:00, Adversary captures a legitimate command waveform with valid auth tags.AST:SI:Signal:00, Captured waveform is replayed with altered timing.SVC:CP:Control Plane:05, Link access control authority accepts the replayed command.SVC:CP:Control Plane:09, Ground-side key-material audit shows session keys appearing where not expected.Data and Signal Source Inventory Path Step (TOE) Required Data / Signal Source Status on Platform AST:DA:Data:00Link auth credential sequence-number log; replay-window record. Partial; sequence-number persistence depends on retention. Owner: SatDev/Eng. AST:SI:Signal:00Uplink command-timing telemetry; on-board command-cadence baseline. Available; src-uplink-timing-027. SVC:CP:Control Plane:05Link access control authority auth audit; out-of-band ACK stream. Available; src-link-aca-028. SVC:CP:Control Plane:09Ground-side key-material audit; key-usage event correlation. Available; src-key-mat-029.
Source Aerospace Corp. SPARTA SPACE-T1428 (Replay Attacks). Confidence Medium. Theoretically grounded; public attribution limited.
AN-ATT:09 Passive downlink interception by collector with sufficient antenna gain.Driven by AN:THR:Threat:09 (Downlink interception) TOE chain SEG:LI:Link:00 → AST:SI:Signal:00 → AST:SW:Software:01 → SVC:HY:Hybrid:02 Steps AST:SI:Signal:00, Adversary collects downlink signal off-air.SVC:DP:Data Plane:00, Intercepted mission product is later disclosed externally.Data and Signal Source Inventory Path Step (TOE) Required Data / Signal Source Status on Platform AST:SI:Signal:00No on-platform observable: downlink interception is passive. GAP; primary mitigation is end-to-end downlink encryption (AN-RES:09). SVC:DP:Data Plane:00External: OSINT collection monitor; threat-intel feeds for leaked mission-product mentions. Available; src-osint-disclosure-030.
Source SPARTA SPACE-T1427 (Eavesdropping on Communications). Confidence High. Widely documented.
SPACE Space Segment, 4 AN-ATT
ID AN-ATT ETEN
AN-ATT:10 Destructive bus attack chained from a stolen command path: attacker reaches command authority, issues sequences ADCS/EPS/FTS will execute.Driven by AN:THR:Threat:10 (Destructive bus attack) TOE chain SEG:SP:Space:00 → SVC:CP:Control Plane:00 → SVC:CP:Control Plane:02 → SVC:CP:Control Plane:03 → AST:HW:Hardware:00 → AST:SW:Software:00 → AST:HW:Hardware:01 → AST:HW:Hardware:02 → AST:FW:Firmware:00 Steps SVC:CP:Control Plane:00, Adversary issues attitude-control command that violates operational envelope.AST:SW:Software:00, ADCS flight software accepts and executes the destructive command.SVC:CP:Control Plane:03, Flight-termination service arms outside permitted window.AST:FW:Firmware:00, FTS firmware logs the destructive command sequence.Data and Signal Source Inventory Path Step (TOE) Required Data / Signal Source Status on Platform SVC:CP:Control Plane:00ADCS command-acceptance log; envelope-check telemetry stream. Available; src-adcs-cmd-031. AST:SW:Software:00ADCS flight software command audit; runtime-state telemetry. Available; src-adcs-fsw-032. SVC:CP:Control Plane:03FTS arming-window state; arming-command telemetry. Available; src-fts-arm-033. AST:FW:Firmware:00FTS firmware accepted-command log; envelope-violation telemetry. Available; src-fts-fw-034.
Source SPARTA SPACE-T1029 (Disrupt). Galaxy 15 (2010) as illustrative bus-failure consequence. Confidence Medium. No public attribution of a successful end-to-end destructive cyber attack on a Western commercial bus.
AN-ATT:11 Command-path integrity attack: attacker manipulates C&DH or the space-side cryptographic service so subsequent commands are accepted as authorized.Driven by AN:THR:Threat:11 (Command-path integrity attack) TOE chain SEG:SP:Space:00 → SVC:HY:Hybrid:00 → SVC:CP:Control Plane:01 → AST:HW:Hardware:06 → AST:FW:Firmware:01 → AST:SW:Software:06 Steps SVC:HY:Hybrid:00, C&DH accepts a command-path modification.AST:HW:Hardware:06, On-board computer state changes outside authorized sequence.AST:FW:Firmware:01, OBC boot firmware reports modified attestation hash at next boot.AST:SW:Software:06, C&DH flight software runs a modified image.Data and Signal Source Inventory Path Step (TOE) Required Data / Signal Source Status on Platform SVC:HY:Hybrid:00C&DH command-acceptance audit; per-command attestation correlation. Available; src-cdh-cmd-035. AST:HW:Hardware:06On-board computer attestation report; runtime state-hash stream. Available; src-obc-attest-036. AST:FW:Firmware:01OBC boot firmware attestation hash; boot-cycle attestation event. Available; src-obc-boot-037. AST:SW:Software:06Running-image hash stream; correlation against accepted-command log. Available; src-cdh-fsw-038.
Source SPARTA SPACE-T1014 (Software Modification) and SPACE-T1042 (Compromise Software Supply Chain). Confidence Medium. Specific Western on-orbit incidents not publicly disclosed.
AN-ATT:12 Pre-launch firmware supply-chain compromise: malicious firmware reaches a vendor build pipeline, ships into a flight component, runs in orbit after launch.Driven by AN:THR:Threat:12 (Supply-chain firmware compromise) TOE chain SEG:SP:Space:00 → SVC:CP:Control Plane:03 → SVC:CP:Control Plane:04 → SVC:CP:Control Plane:02 → AST:FW:Firmware:00 → AST:FW:Firmware:01 → AST:FW:Firmware:02 Steps AST:FW:Firmware:00, Adversary substitutes tampered FTS firmware build in the supply.AST:FW:Firmware:01, Tampered OBC firmware delivered through the same supply chain.AST:FW:Firmware:02, Tampered payload firmware delivered through the same supply chain.Data and Signal Source Inventory Path Step (TOE) Required Data / Signal Source Status on Platform AST:FW:Firmware:00Hardware-integration-lab measured-boot attestation; vendor signed manifest. Available; src-fts-supply-039. AST:FW:Firmware:01Hardware-integration-lab attestation; SLSA provenance attestation. Available; src-obc-supply-040. AST:FW:Firmware:02Hardware-integration-lab attestation for payload firmware; vendor signed manifest. Available; src-pl-supply-041.
Source SolarWinds (2020, CISA AA20-352A); CCleaner (2017); SPARTA SPACE-T1041. Confidence Medium. Pattern well-documented in IT; satellite firmware analogue structurally identical.
AN-ATT:13 Payload-data tampering between the science instrument and the downlink encryptor.Driven by AN:THR:Threat:13 (Payload-data tampering) TOE chain SEG:SP:Space:00 → SVC:DP:Data Plane:00 → SVC:DP:Data Plane:01 → AST:HW:Hardware:07 → AST:FW:Firmware:02 Steps AST:HW:Hardware:07, Payload electronics produce a mission product; on-board signing applies the platform signature.SVC:DP:Data Plane:01, Payload data plane carries the signed product to the ground.AST:DA:Data:04, Mission product is delivered to consumers with the on-board signature.Data and Signal Source Inventory Path Step (TOE) Required Data / Signal Source Status on Platform AST:HW:Hardware:07On-board mission-product signing log; per-product signature record. Available; src-pl-sign-042. SVC:DP:Data Plane:01Payload data plane signature-verification result at downlink; integrity-check audit. Available; src-pl-dp-043. AST:DA:Data:04Mission product service signature-verification event; consumer integrity-receipt log. Available; src-mission-receipt-044.
Source SPARTA SPACE-T1059 (Modify On-Board Values). Confidence Low–Medium. No public reports of a successful attack of this kind.
Module 03 Enumerated Attack Paths · Full Spectrum Space Cybersecurity Professional
14 AN-ATT · User 2 + Ground 5 + Link 3 + Space 4