ATAGS Tactic: Reconnaissance
| ID | Name | Description | |
| ATAGS-T1000 | Active Scanning of Provider Infrastructure | Threat actors may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure (GS and Cloud infrastructure) via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction. | |
| ATAGS-T1001 | G2S Eavesdropping | Threat actors may seek to capture network communications throughout the ground station, these communications may be captured using packet capture software while the threat actor is on the target network. | |
| ATAGS-T1002 | G2U Eavesdropping | Threat actors may seek to capture network communications throughout the ground station and radio frequency (RF) communication used for uplink and downlink communications. Threat actors may capture RF communications using specialized hardware, such as software defined radio (SDR), handheld radio, or a computer with radio demodulator turned to the communication frequency. | |
| ATAGS-T1003 | Gather Customer Network Information | Threat actors may gather information about the customer's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations. | |
| ATAGS-T1004 | Gather Customer Org Information | Threat actors may gather information about the Customer's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees. | |
| ATAGS-T1005 | Gather Ground Station Communications Information | Threat actors may obtain information on the specific RF-over-IP protocols (e.g., VITA 49), center frequencies, and modulation schemes configured in the GSaaS Mission Profile. This data is required to successfully inject malicious packets or demodulate intercepted data. | |
| ATAGS-T1006 | Gather Ground Station Logical and Cloud Design Information | Threat actors may gather information about the GSaaS provider's network topology, API gateway versions, and cloud region availability. Unlike traditional ground stations, this information is often publicly available in provider documentation and can be mapped to specific customer implementations. | |
| ATAGS-T1007 | Gather Ground Station Physical Architecture Information | Threat actors may gather information about the victim Ground station's physical architecture that can be used for future campaigns or to help perpetuate other techniques. Information about the architecture can include location, physical security in place, antennas utilized, material, means of power support, employees staffed, maintainance. | |
| ATAGS-T1008 | Gather Mission Profile Configuration | Threat actors seek to obtain the specific "Mission Profile" or configuration scripts (JSON/YAML) used to configure the Ground Station for a pass. This reveals the exact demodulation, decoding, and data delivery paths used by the victim. | |
| ATAGS-T1009 | Gather Mission Schedule / LEOP Timeline | Threat actors gather launch windows and LEOP (Launch and Early Orbit Phase) schedules. This temporal data allows the adversary to time Denial of Service attacks against the GSaaS scheduling API specifically when the satellite is most vulnerable and has not yet stabilized its orbit. | |
| ATAGS-T1010 | Gather Mission that uses GSaaS Information | Threat actors may initially seek to gain an understanding of a target Ground Station by gathering information of mission that are known to use a specific provider. Gathering information commonly captured in a Concept of Operations (or similar) document and related artifacts. Information of interest includes, but is not limited to: - the needs, goals, and objectives of the system - system overview and key elements/instruments - modes of operations (including operational constraints) - proposed capabilities and the underlying science/technology used to provide capabilities (i.e., scientific papers, research studies, etc.) - physical and support environments | |
| ATAGS-T1011 | Gather Provider Org Information | Threat actors may gather information about the Provider's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees. | |
| ATAGS-T1012 | Gather Supply Chain Information | Threat actors may gather information about GS supply chain or product delivery mechanisms that can be used for future campaigns or to help perpetuate other techniques. | |
| .001 | Business Relationships | Threat actors may gather information about the victim's business relationships that can be used during targeting. Information about an mission’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors/sub-contractors, etc.) that have connected (and potentially elevated) network access or sensitive information. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources. | |
| .002 | Hardware Recon | Threat actors may gather information that can be used to facilitate a future attack where they manipulate hardware components in the victim infrastructure prior to the customer receiving them in order to achieve data or system compromise. The threat actor can insert backdoors and give them a high level of control over the system when they modify the hardware or firmware in the supply chain. This would include ASIC and FPGA devices as well. | |
| .003 | Known Vulnerabilities | Threat actors may gather information about vulnerabilities that can be used for future campaigns or to perpetuate other techniques. A vulnerability is a weakness in the victim spacecraft's hardware, subsystems, bus, or software that can, potentially, be exploited by a threat actor to cause unintended or unanticipated behavior to occur. During reconnaissance as threat actors identify the types/versions of software (i.e., COTS, open-source) being used, they will look for well-known vulnerabilities that could affect the spacecraft. Threat actors may find vulnerability information by searching leaked documents, vulnerability databases/scanners, compromising ground systems, and searching through online databases. | |
| .004 | Software Recon | Threat actors may gather information relating to the mission's software supply chain in order to facilitate future attacks to achieve data or system compromise. This attack can take place in a number of ways, including manipulation of source code, manipulation of the update and/or distribution mechanism, or replacing compiled versions with a malicious one. | |
| ATAGS-T1013 | Phishing for Information | Threat actors may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from Phishing in that the objective is gathering data from the victim rather than executing malicious code. | |
| .001 | Spear Phishing to Ground Segment Operators | The attack can target Ground Segment operators, to gain information useful to target the Ground Segment later. | |
| .002 | Spear Phishing to Industry/Space Agencies | The attack can target Industries or Space Agencies, that are involved in development, and it could result in information leaking, that can be used to target the attack or to produce some specific hardware. In this last case it can even affect supply chain. | |
| .003 | Spearphishing Attachment | Threat actors may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages. | |
| .004 | Spearphishing Link | Threat actors may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages. | |
| .005 | Spearphishing Service | Threat actors may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages. | |
| .006 | Spearphishing Voice | Threat actors may use voice communications to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Impersonation) and/or creating a sense of urgency or alarm for the recipient. | |