Save these enumerated attack paths as a PDF using your browser’s print dialog.

← Back to module
Full Spectrum Space Cybersecurity Professional

Day 3 Enumerated Attack Paths

14 AN-ATT ETENs, One per Threat, Walked with SatDev/Eng

Fourteen attack paths against the platform. Each entry’s TOE chain names the services and assets the attacker would touch in order; each entry cites the public reporting or framework reference the path is anchored to.

USER
2
AN-ATT
GROUND
5
AN-ATT
LINK
3
AN-ATT
SPACE
4
AN-ATT
Exported byverifying identity…
Exported at
ClassificationTLP:GREEN · SCORP² community only
DistributionInternal cohort and confirmed instructors only
TLP:GREEN SCORP² community only · do not redistribute outside cohort
Exported by: Exported at: Distribution: Internal cohort + confirmed instructors
If you received this file from outside the cohort, please notify william.o.ferguson@ethicallyhacking.space and delete it.

Cumulative Decomposition Diagram

The complete artifact stack against the reference platform as of end of this module. New layer added this module is highlighted; prior layers show as context.

Cumulative decomposition diagram

How to Read

Each entry is one AN-ATT (attack path). The ID is the AN:ATT:Attack Path:ORDINAL identifier. The Description narrates the path end to end. Driven by links the path to its parent AN-THR. TOE chain names every service and asset the attacker touches in traversal order. Source cites the public reporting the path is anchored to. Confidence is a one-line analyst assessment of how strongly the path is supported by the public record.

USERUser Segment, 2 AN-ATT

IDAN-ATT ETEN
AN-ATT:00Operator-console credential theft via spear-phishing or credential stuffing.Driven byAN:THR:Threat:01 (Console credential theft)TOE chainSEG:US:User:00 → SVC:CP:Control Plane:13 → AST:HW:Hardware:04 → AST:DA:Data:03 → SVC:CP:Control Plane:15Steps
  1. AST:HW:Hardware:04, Compromise of console workstation via credential theft or session hijack.
  2. AST:SW:Software:04, Console operator software is launched with attacker credentials.
  3. SVC:CP:Control Plane:15, User-side access control authority issues a session.
  4. SVC:CP:Control Plane:13, Console operations service accepts the session and the operator can command.
Data and Signal Source Inventory
Path Step (TOE)Required Data / Signal SourceStatus on Platform
AST:HW:Hardware:04Workstation authentication telemetry; console-host EDR events.Available; src-edr-console-001.
AST:SW:Software:04Console operator software audit log; process-start events.Available; src-console-sw-002.
SVC:CP:Control Plane:15User-side access control authority sign-in event stream.Available; src-idp-user-003.
SVC:CP:Control Plane:13Console operations command audit; per-session command log.Available; src-console-ops-004.
SourceIndustry-reported credential-theft patterns against operator workstations.ConfidenceMedium. Pattern widely reported in enterprise IT.
AN-ATT:01End-user application tampering via supply-chain compromise.Driven byAN:THR:Threat:00 (End-user application tampering)TOE chainSEG:US:User:00 → AST:SW:Software:08 → SVC:DP:Data Plane:02 → AST:DA:Data:04Steps
  1. AST:SW:Software:08, Adversary replaces or modifies the end-user application binary.
  2. AST:DA:Data:04, Tampered application produces or modifies mission product data.
  3. SVC:DP:Data Plane:02, Modified product is presented to the user.
Data and Signal Source Inventory
Path Step (TOE)Required Data / Signal SourceStatus on Platform
AST:SW:Software:08File-integrity-monitoring events; code-signing verification result.Available; src-fim-user-005.
AST:DA:Data:04Mission-product data integrity log; per-product hash record.Available; src-mission-prod-006.
SVC:DP:Data Plane:02User application data-plane audit; presentation-layer event stream.Available; src-user-dp-007.
SourceSolarWinds Orion compromise (2020, CISA AA20-352A).ConfidenceMedium. Satellite-app analogue inferred from IT supply-chain pattern.

GROUNDGround Segment, 5 AN-ATT

IDAN-ATT ETEN
AN-ATT:02Mass modem firmware-wipe via management-plane abuse: external VPN appliance compromise → management network access → abuse of the modem management interface → push of a wiper as firmware update → modem flash and SPI EEPROM overwritten.Driven byAN:THR:Threat:02 (Long-dwell ground-network intrusion)TOE chainSEG:GR:Ground:00 → SVC:CP:Control Plane:08 → SVC:CP:Control Plane:09 → AST:SW:Software:02 → AST:DA:Data:01 → AST:DA:Data:02 → AST:SW:Software:03Steps
  1. SEG:GR:Ground:00, Compromise of external VPN appliance facing the management network.
  2. SVC:CP:Control Plane:08, Pivot into ground crypto / management control plane using VPN-derived credentials.
  3. SVC:CP:Control Plane:09, Ground access control authority issues subscriber-modem privileges.
  4. AST:SW:Software:03, Patch deployment software stages the wiper as a firmware update payload.
  5. AST:DA:Data:02, Patch binary store holds the malicious payload that will be pushed.
  6. AST:FW:Firmware:00, Modems flash the payload over their firmware.
Data and Signal Source Inventory
Path Step (TOE)Required Data / Signal SourceStatus on Platform
SEG:GR:Ground:00VPN appliance auth and session telemetry; egress NetFlow from the management subnet.Available; src-vpn-008.
SVC:CP:Control Plane:08Ground-crypto authentication audit; management-plane authentication audit log.Available; src-mgmt-cp-009.
SVC:CP:Control Plane:09Ground access control authority sign-in log; per-session command audit.Available; src-ground-aca-010.
AST:SW:Software:03Patch-deployment software command audit; firmware-update API call log including payload hash.Available; src-patch-sw-011.
AST:DA:Data:02Patch-binary hash audit; signed-manifest verification result.Available; src-patch-bin-012.
AST:FW:Firmware:00Per-modem flash-write event with hash; signed-update verification result.Available; src-modem-fw-013.
SourceViasat post-incident report (30 March 2022); CISA AA22-110A; SentinelLabs AcidRain analysis. KA-SAT outage 24 Feb 2022.ConfidenceHigh. Matches the public reconstruction of the KA-SAT outage.
AN-ATT:03Operator credential theft via phishing or credential stuffing on ground-station service accounts.Driven byAN:THR:Threat:03 (Operator credential theft)TOE chainSEG:GR:Ground:00 → AST:DA:Data:01 → SVC:CP:Control Plane:09 → SVC:CP:Control Plane:13Steps
  1. AST:DA:Data:01, Operator credentials are stolen via phishing or replay.
  2. SVC:CP:Control Plane:09, Ground access control authority authenticates the stolen credentials.
Data and Signal Source Inventory
Path Step (TOE)Required Data / Signal SourceStatus on Platform
AST:DA:Data:01Credential-store auth audit; impossible-travel detector input.Available; src-cred-audit-014.
SVC:CP:Control Plane:09Identity-provider sign-in event stream; geolocation and device-fingerprint telemetry.Available; src-idp-ground-015.
SourceMITRE ATT&CK T1078 (Valid Accounts).ConfidenceMedium. Per-operator details non-public.
AN-ATT:04Privileged insider with command authority issues unauthorized commands directly from a commanding workstation.Driven byAN:THR:Threat:04 (Privileged insider misuse)TOE chainSEG:GR:Ground:00 → AST:HW:Hardware:04 → AST:SW:Software:04 → SVC:CP:Control Plane:13 → SVC:CP:Control Plane:09Steps
  1. AST:HW:Hardware:04, Insider with legitimate access uses the operator console.
  2. AST:SW:Software:04, Console operator software issues high-impact commands without peer review.
  3. SVC:CP:Control Plane:13, Console operations service executes the commands.
Data and Signal Source Inventory
Path Step (TOE)Required Data / Signal SourceStatus on Platform
AST:HW:Hardware:04Per-operator console-usage stream; workstation EDR baseline.Available; src-console-baseline-016.
AST:SW:Software:04Console operator software command audit; peer-review tag stream.Partial; peer-review tag stream depends on workflow adoption. Owner: SOC ops.
SVC:CP:Control Plane:13Console operations command audit; per-command cadence baseline.Available; src-console-ops-017.
SourceMITRE ATT&CK T1078.003; NIST SP 800-53 PS-7.ConfidenceMedium. Insider patterns well-documented.
AN-ATT:05Lateral movement from compromised operator workstation through the operator network into mission-control hosts.Driven byAN:THR:Threat:05 (Lateral movement to mission control)TOE chainSEG:GR:Ground:00 → AST:HW:Hardware:04 → AST:SW:Software:04 → SVC:CP:Control Plane:13 → SVC:CP:Control Plane:09Steps
  1. AST:HW:Hardware:04, Compromised operator workstation initiates east-west connections.
  2. SVC:CP:Control Plane:13, Console operations host receives connections outside the allow-list.
Data and Signal Source Inventory
Path Step (TOE)Required Data / Signal SourceStatus on Platform
AST:HW:Hardware:04Workstation connection logs; EDR process-network event stream.Available; src-edr-net-018.
SVC:CP:Control Plane:13East-west network flow telemetry; allow-list configuration source.Available; src-netflow-mc-019.
SourceMITRE ATT&CK TA0008 (Lateral Movement).ConfidenceMedium. Pattern enterprise-standard.
AN-ATT:06Ransomware against the launch-control / patch-deployment pipeline.Driven byAN:THR:Threat:06 (Ransomware against launch infrastructure)TOE chainSEG:GR:Ground:00 → SVC:CP:Control Plane:10 → SVC:CP:Control Plane:12 → AST:DA:Data:02 → AST:SW:Software:03Steps
  1. SEG:GR:Ground:00, Ransomware actor obtains foothold on ground infrastructure.
  2. SVC:CP:Control Plane:10, Mass-encryption activity hits launch-control file systems.
  3. AST:DA:Data:02, Patch binary store is encrypted, breaking the deployment pipeline.
  4. SVC:CP:Control Plane:12, Patch-update service cannot ship to the platform.
Data and Signal Source Inventory
Path Step (TOE)Required Data / Signal SourceStatus on Platform
SEG:GR:Ground:00Initial-access telemetry: VPN auth, phishing-click, public-facing service auth log.Available; src-init-access-020.
SVC:CP:Control Plane:10Launch-control host FIM; entropy-shift indicator stream.Available; src-fim-launch-021.
AST:DA:Data:02Patch-binary integrity stream; backup-system event audit.Available; src-patch-integrity-022.
SVC:CP:Control Plane:12Patch-update service availability monitor; dispatch-failure event stream.Available; src-patch-svc-023.
SourceCISA Stop Ransomware advisories.ConfidenceMedium. Ransomware well-documented in IT; satellite launch-control incidents rare.

LINKLink Segment, 3 AN-ATT

IDAN-ATT ETEN
AN-ATT:07Sustained RF noise injection across uplink/downlink bands.Driven byAN:THR:Threat:07 (Jamming campaign)TOE chainSEG:LI:Link:00 → SVC:CP:Control Plane:05 → SVC:HY:Hybrid:01 → SVC:HY:Hybrid:02 → AST:SI:Signal:00Steps
  1. AST:SI:Signal:00, Adversary radiates interference across uplink or downlink bands.
  2. SVC:HY:Hybrid:02, Tracking service sees sustained noise-floor anomaly.
  3. SVC:CP:Control Plane:05, Link access control authority logs degraded authentication outcomes.
Data and Signal Source Inventory
Path Step (TOE)Required Data / Signal SourceStatus on Platform
AST:SI:Signal:00Per-band SNR and BER telemetry from the ground receiver.Available; src-rx-rf-024.
SVC:HY:Hybrid:02Tracking noise-floor stream; out-of-band emission monitor.Available; src-tnt-noise-025.
SVC:CP:Control Plane:05Link ACA failure-rate stream; space-weather correlation feed.Available; src-link-aca-026.
SourceReported jamming during Russia–Ukraine conflict (2022–2024); ITU interference reports.ConfidenceHigh. Directly reported.
AN-ATT:08Replay-and-spoof against the uplink command waveform paired with stolen session keys.Driven byAN:THR:Threat:08 (Replay-and-spoof on uplink)TOE chainSEG:LI:Link:00 → AST:SI:Signal:00 → AST:DA:Data:00 → SVC:CP:Control Plane:05 → SVC:CP:Control Plane:09Steps
  1. AST:DA:Data:00, Adversary captures a legitimate command waveform with valid auth tags.
  2. AST:SI:Signal:00, Captured waveform is replayed with altered timing.
  3. SVC:CP:Control Plane:05, Link access control authority accepts the replayed command.
  4. SVC:CP:Control Plane:09, Ground-side key-material audit shows session keys appearing where not expected.
Data and Signal Source Inventory
Path Step (TOE)Required Data / Signal SourceStatus on Platform
AST:DA:Data:00Link auth credential sequence-number log; replay-window record.Partial; sequence-number persistence depends on retention. Owner: SatDev/Eng.
AST:SI:Signal:00Uplink command-timing telemetry; on-board command-cadence baseline.Available; src-uplink-timing-027.
SVC:CP:Control Plane:05Link access control authority auth audit; out-of-band ACK stream.Available; src-link-aca-028.
SVC:CP:Control Plane:09Ground-side key-material audit; key-usage event correlation.Available; src-key-mat-029.
SourceAerospace Corp. SPARTA SPACE-T1428 (Replay Attacks).ConfidenceMedium. Theoretically grounded; public attribution limited.
AN-ATT:09Passive downlink interception by collector with sufficient antenna gain.Driven byAN:THR:Threat:09 (Downlink interception)TOE chainSEG:LI:Link:00 → AST:SI:Signal:00 → AST:SW:Software:01 → SVC:HY:Hybrid:02Steps
  1. AST:SI:Signal:00, Adversary collects downlink signal off-air.
  2. SVC:DP:Data Plane:00, Intercepted mission product is later disclosed externally.
Data and Signal Source Inventory
Path Step (TOE)Required Data / Signal SourceStatus on Platform
AST:SI:Signal:00No on-platform observable: downlink interception is passive.GAP; primary mitigation is end-to-end downlink encryption (AN-RES:09).
SVC:DP:Data Plane:00External: OSINT collection monitor; threat-intel feeds for leaked mission-product mentions.Available; src-osint-disclosure-030.
SourceSPARTA SPACE-T1427 (Eavesdropping on Communications).ConfidenceHigh. Widely documented.

SPACESpace Segment, 4 AN-ATT

IDAN-ATT ETEN
AN-ATT:10Destructive bus attack chained from a stolen command path: attacker reaches command authority, issues sequences ADCS/EPS/FTS will execute.Driven byAN:THR:Threat:10 (Destructive bus attack)TOE chainSEG:SP:Space:00 → SVC:CP:Control Plane:00 → SVC:CP:Control Plane:02 → SVC:CP:Control Plane:03 → AST:HW:Hardware:00 → AST:SW:Software:00 → AST:HW:Hardware:01 → AST:HW:Hardware:02 → AST:FW:Firmware:00Steps
  1. SVC:CP:Control Plane:00, Adversary issues attitude-control command that violates operational envelope.
  2. AST:SW:Software:00, ADCS flight software accepts and executes the destructive command.
  3. SVC:CP:Control Plane:03, Flight-termination service arms outside permitted window.
  4. AST:FW:Firmware:00, FTS firmware logs the destructive command sequence.
Data and Signal Source Inventory
Path Step (TOE)Required Data / Signal SourceStatus on Platform
SVC:CP:Control Plane:00ADCS command-acceptance log; envelope-check telemetry stream.Available; src-adcs-cmd-031.
AST:SW:Software:00ADCS flight software command audit; runtime-state telemetry.Available; src-adcs-fsw-032.
SVC:CP:Control Plane:03FTS arming-window state; arming-command telemetry.Available; src-fts-arm-033.
AST:FW:Firmware:00FTS firmware accepted-command log; envelope-violation telemetry.Available; src-fts-fw-034.
SourceSPARTA SPACE-T1029 (Disrupt). Galaxy 15 (2010) as illustrative bus-failure consequence.ConfidenceMedium. No public attribution of a successful end-to-end destructive cyber attack on a Western commercial bus.
AN-ATT:11Command-path integrity attack: attacker manipulates C&DH or the space-side cryptographic service so subsequent commands are accepted as authorized.Driven byAN:THR:Threat:11 (Command-path integrity attack)TOE chainSEG:SP:Space:00 → SVC:HY:Hybrid:00 → SVC:CP:Control Plane:01 → AST:HW:Hardware:06 → AST:FW:Firmware:01 → AST:SW:Software:06Steps
  1. SVC:HY:Hybrid:00, C&DH accepts a command-path modification.
  2. AST:HW:Hardware:06, On-board computer state changes outside authorized sequence.
  3. AST:FW:Firmware:01, OBC boot firmware reports modified attestation hash at next boot.
  4. AST:SW:Software:06, C&DH flight software runs a modified image.
Data and Signal Source Inventory
Path Step (TOE)Required Data / Signal SourceStatus on Platform
SVC:HY:Hybrid:00C&DH command-acceptance audit; per-command attestation correlation.Available; src-cdh-cmd-035.
AST:HW:Hardware:06On-board computer attestation report; runtime state-hash stream.Available; src-obc-attest-036.
AST:FW:Firmware:01OBC boot firmware attestation hash; boot-cycle attestation event.Available; src-obc-boot-037.
AST:SW:Software:06Running-image hash stream; correlation against accepted-command log.Available; src-cdh-fsw-038.
SourceSPARTA SPACE-T1014 (Software Modification) and SPACE-T1042 (Compromise Software Supply Chain).ConfidenceMedium. Specific Western on-orbit incidents not publicly disclosed.
AN-ATT:12Pre-launch firmware supply-chain compromise: malicious firmware reaches a vendor build pipeline, ships into a flight component, runs in orbit after launch.Driven byAN:THR:Threat:12 (Supply-chain firmware compromise)TOE chainSEG:SP:Space:00 → SVC:CP:Control Plane:03 → SVC:CP:Control Plane:04 → SVC:CP:Control Plane:02 → AST:FW:Firmware:00 → AST:FW:Firmware:01 → AST:FW:Firmware:02Steps
  1. AST:FW:Firmware:00, Adversary substitutes tampered FTS firmware build in the supply.
  2. AST:FW:Firmware:01, Tampered OBC firmware delivered through the same supply chain.
  3. AST:FW:Firmware:02, Tampered payload firmware delivered through the same supply chain.
Data and Signal Source Inventory
Path Step (TOE)Required Data / Signal SourceStatus on Platform
AST:FW:Firmware:00Hardware-integration-lab measured-boot attestation; vendor signed manifest.Available; src-fts-supply-039.
AST:FW:Firmware:01Hardware-integration-lab attestation; SLSA provenance attestation.Available; src-obc-supply-040.
AST:FW:Firmware:02Hardware-integration-lab attestation for payload firmware; vendor signed manifest.Available; src-pl-supply-041.
SourceSolarWinds (2020, CISA AA20-352A); CCleaner (2017); SPARTA SPACE-T1041.ConfidenceMedium. Pattern well-documented in IT; satellite firmware analogue structurally identical.
AN-ATT:13Payload-data tampering between the science instrument and the downlink encryptor.Driven byAN:THR:Threat:13 (Payload-data tampering)TOE chainSEG:SP:Space:00 → SVC:DP:Data Plane:00 → SVC:DP:Data Plane:01 → AST:HW:Hardware:07 → AST:FW:Firmware:02Steps
  1. AST:HW:Hardware:07, Payload electronics produce a mission product; on-board signing applies the platform signature.
  2. SVC:DP:Data Plane:01, Payload data plane carries the signed product to the ground.
  3. AST:DA:Data:04, Mission product is delivered to consumers with the on-board signature.
Data and Signal Source Inventory
Path Step (TOE)Required Data / Signal SourceStatus on Platform
AST:HW:Hardware:07On-board mission-product signing log; per-product signature record.Available; src-pl-sign-042.
SVC:DP:Data Plane:01Payload data plane signature-verification result at downlink; integrity-check audit.Available; src-pl-dp-043.
AST:DA:Data:04Mission product service signature-verification event; consumer integrity-receipt log.Available; src-mission-receipt-044.
SourceSPARTA SPACE-T1059 (Modify On-Board Values).ConfidenceLow–Medium. No public reports of a successful attack of this kind.