Use Case 2 · Viasat KA-SAT worked example
Adversary Management produces two outputs: AN-RES resilience measures that remove the structural elements an adversary keeps reaching for, and an adversary profile that captures who that adversary is and how they operate. Resilience measures attach via TRE (Target of Resilience Enhancement) to the structural element they protect, mapped to one of the four TRE objectives (per NIST SP 800-160 v2): Anticipate, Withstand, Recover, Adapt.
AST : FW : Firmware : 00 · SurfBeam2 modem firmware.AN : THR : Threat : 00 · Sandworm. TOE → Firmware.AN : ATT : Attack Path : 00 · VPN compromise → mgmt control plane → modem mgmt software → firmware overwrite.AN : DET : Detection Signature : 00 · RootA rule on unauthorized firmware push.
One concrete resilience measure that shrinks the attack surface on the firmware element. Drives the firmware-overwrite step on the upstream attack path toward unsuccessful for this adversary, even when the earlier steps succeed.
| Field | Value |
|---|---|
| Identifier | AN : RES : Resilience Measure : 00 |
| Description | Vendor-signed firmware updates with anti-rollback enforcement, modem-side signature verification before flash, and an out-of-band recovery image protected in dedicated storage that can be restored via local management when network management is compromised. |
| TRE | AN : RES : Resilience Measure : 00 via TRE → AST : FW : Firmware : 00 |
| TRE Objective | Withstand, with secondary contribution to Recover via the OOB recovery image. |
| Removes attack surface from | AN : ATT : Attack Path : 00 step 04. Even with management-plane access, an adversary cannot deliver a working malicious firmware payload because modem-side signature verification rejects it; if delivered, anti-rollback prevents downgrade to a vulnerable image; if flashed and bricked, OOB recovery restores service. |
| Test result | Verified in resilience test RT-FW-2026-Q2: synthetic unsigned payload rejected at modem; downgrade to known-vulnerable image rejected; OOB recovery from intentionally bricked unit completed in < 30 minutes per modem. |
| Source | Resilience baseline RES-FW-2026-Q2; design specification doc-fwres-005. |
| Field | Required? | What to capture |
|---|---|---|
| LAYER / TAG / LABEL / ORDINAL | Required | Always AN : RES : Resilience Measure : NN. |
| DESCRIPTION | Required | What the measure does, in plain English. Concrete, not aspirational. |
| TRE | Required | Fully-qualified enumerated identifier of the structural element the measure protects. Not TOE or TDM. |
| TRE OBJECTIVE | Required | One of Anticipate, Withstand, Recover, Adapt (per NIST SP 800-160 v2). Note any secondary contributions. |
| REMOVES ATTACK SURFACE FROM | Required | The AN-ATT step or steps the measure addresses. Resilience without a target attack path is gold-plating. |
| TEST RESULT | Required | How the measure was validated. A measure with no test does not graduate. |
| SOURCE | Required | Resilience baseline document and test report. |
AN-ATT paths and many AN-THR entries. The firmware element here recurs because it is the final objective in the demonstrated path; that recurrence justifies the measure.
Each enumerated AN-THR element carries a structured adversary profile. Use this template as the field set for any new threat the team catalogues. The Viasat-anchored example below shows the template filled in for AN : THR : Threat : 00.
| Field | What to capture |
|---|---|
| PRIMARY NAME | The most-recognized public name for the adversary group. |
| ALIASES | All known aliases, vendor-tracking codes, and sub-group names. |
| ATTRIBUTION | State sponsor (if any), tracked unit number, public attribution sources. Mark unattributed when no attribution exists. |
| MOTIVATION | Espionage, disruption, financial, hacktivism, mixed; cite evidence. |
| CAPABILITIES (TTPs) | Demonstrated tactics, techniques, and procedures, especially the ones that anchor to the AN-THR's TOE. |
| TARGETS / SECTORS | Sectors and target classes the group has demonstrated against; useful for sector-pattern matching. |
| KNOWN OPERATIONS | Reverse-chronological list of named operations the group has been credited with; one line each with date and primary source. |
| SIGNATURES LEFT BEHIND | Tooling lineage, code reuse patterns, infrastructure preferences, IOC families. |
| CONFIDENCE | High / medium / low for the attribution and capability claims, with one-line rationale. |
| SOURCE | The set of artifacts the profile draws from: government attributions, vendor reports, ISAC bulletins, peer-shared profiles. Specific enough that someone else can open them. |
| Primary name | Sandworm |
|---|---|
| Aliases | Voodoo Bear, BlackEnergy actor, IRIDIUM, ELECTRUM, TeleBots, Telebots, Hades |
| Attribution | Russian Federation, GRU Main Intelligence Directorate, Unit 74455. Public attributions by US, UK, EU, and Ukrainian governments following the 2022 KA-SAT attack. |
| Motivation | State-directed disruption of NATO and Ukrainian civilian and military infrastructure; strategic sabotage and espionage tied to Russian foreign policy and conventional military operations. |
| Capabilities (TTPs) |
- Custom wiper malware development (AcidRain, KillDisk, NotPetya). - Supply-chain compromise. - Living-off-the-land within target networks. - Critical-infrastructure targeting (power, telecom, satcom, ICS). - Operational tempo aligned with Russian conventional military activity (live-fire concurrent attacks). |
| Targets / sectors | Government, military, energy, satellite communications, industrial control systems, election infrastructure. |
| Known operations |
- 2022 KA-SAT modem firmware wipe (AcidRain), 24 February 2022. - 2018 Olympic Destroyer attack on PyeongChang Winter Olympics. - 2017 NotPetya supply-chain attack (M.E.Doc). - 2016 Industroyer / CrashOverride attack on Ukrainian electrical grid. - 2015 BlackEnergy / KillDisk attack on Ukrainian power grid. |
| Signatures left behind |
- Custom wiper artifact families with overlapping code lineage (AcidRain, KillDisk, Industroyer family). - Targeted firmware-overwrite patterns where applicable (KA-SAT case). - Use of legitimate management channels for malicious payload delivery (KA-SAT case, NotPetya supply-chain case). |
| Confidence | High. Attribution supported by multiple independent governments and vendor analyses; capability claims supported by recovered tooling across multiple operations. |
| Source | CISA AA22-110A; SentinelOne AcidRain technical analysis (March 2022); Viasat KA-SAT post-incident statement (30 March 2022); UK NCSC and EU Council attribution statements (May 2022); ESET Industroyer analysis (June 2017). |
AN-THR entry. Store it alongside the AN-THR record in the CTI platform; cite the same SOURCE artifacts. When a peer publishes a profile update through Space ISAC, refresh the local copy and increment a profile revision date; the AN-THR identifier and ordinal stay the same.