ATAGS Tactic: Initial Access
| ID | Name | Description | |
| ATAGS-T1021 | Assembly, Test, and Launch Operation Compromise | Threat actors may target the Ground Station hardware and/or software while the GS is at Assembly, Test, and Launch Operation (ATLO). ATLO is often the first time pieces of the Ground Station are fully integrated and exchanging data across interfaces. Malware could propagate from infected devices across the integrated GS. For example, test equipment (i.e., transient cyber asset) is often brought in for testing elements of the ground station. Additionally, varying levels of physical security is in place which may be a reduction in physical security typically seen during development. The ATLO environment should be considered a viable attack vector and the appropriate/equivalent security controls from the primary development environment should be implemented during ATLO as well. | |
| ATAGS-T1022 | Content Injection | Threat actors may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., Drive-by Target followed by Drive-by Compromise), Threat actors may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., Ingress Tool Transfer) and other data to already compromised systems. | |
| ATAGS-T1023 | Direct Attack to Space Communication Links | Threat actors can leverage communication channels to initially access a resource, using TT&C or a payload channel, opening a communication link to compromise the victim system. Threat actors can perform different actions. | |
| .001 | Record and replay TC/TM or mission specific packets | Threat actors can record and replay TC/TM packets to deceive the spacecraft or the ground station, causing an unexpected behavior or an erroneous evaluation of the spacecraft status. Threat actors can gain access to the data exchanged in a payload channel or even spoof TC. Usually the TM replay doesn't cause an impact, unless timing information are transmitted. | |
| ATAGS-T1024 | Drive-by Compromise | Threat actors may gain access to a system through a user visiting a website over the normal course of browsing. Multiple ways of delivering exploit code to a browser exist (i.e., Drive-by Target), including: | |
| ATAGS-T1025 | Exploit Public-Facing Application | Threat actors may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. | |
| ATAGS-T1026 | Ground Segment Compromise | Threat actors may compromise Ground Segment sectors, such as work stations, Ground Stations and operation centers. | |
| .001 | Logical compromise | There can be various ways of Ground Segment compromise, that resemble a lot MITRE ATT&CK® Enterprise methods. | |
| .002 | Physical compromise | Threat actors can exploit missing physical security ( eg. facilities not protected with physical barriers). | |
| ATAGS-T1027 | Hardware Additions | Threat actors may physically introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. Replication Through Removable Media), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused. | |
| ATAGS-T1028 | Internet Accessible Device | Threat actors may gain access into industrial environments through systems exposed directly to the internet for remote access rather than through External Remote Services. Internet Accessible Devices are exposed to the internet unintentionally or intentionally without adequate protections. This may allow for Threat actors to move directly into the control system network. Access onto these devices is accomplished without the use of exploits, these would be represented within the Exploit Public-Facing Application technique. | |
| ATAGS-T1029 | Phishing | Threat actors may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, Threat actors can conduct non-targeted phishing, such as in mass malware spam campaigns. | |
| .001 | Spearphishing Link | Threat actors may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source. | |
| .002 | Spearphishing Voice | Threat actors may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: Impersonation) and/or creating a sense of urgency or alarm for the recipient. | |
| .003 | Phishing Attachment | Threat actors may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, Threat actors attach a file to the spearphishing email and usually rely upon User Execution to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source. | |
| .004 | Spearphishing via Service | Threat actors may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. | |
| ATAGS-T1030 | Remote Services Compromise | Threat actors may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally. | |
| ATAGS-T1031 | Remote Services Exploitation | Threat actors may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse. A common goal for post-compromise exploitation of remote services is for initial access into and lateral movement throughout the ICS environment to enable access to targeted systems. | |
| ATAGS-T1032 | Replication Through Removable Media | Threat actors may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself. | |
| ATAGS-T1033 | Rogue Master | Threat actors may setup a rogue master to leverage control server functions to communicate with outstations. A rogue master can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master. Impersonating a master may also allow an adversary to avoid detection. | |
| ATAGS-T1034 | Secondary/Backup Communication Channel Compromise | Threat actors may compromise alternative communication pathways which may not be as protected as the primary pathway. Depending on implementation the contingency communication pathways/solutions may lack the same level of security (i.e., physical security, encryption, authentication, etc.) which if forced to use could provide a threat actor an opportunity to launch attacks. Typically these would have to be coupled with other denial of service techniques on the primary pathway to force usage of secondary pathways. | |
| ATAGS-T1035 | Software Defined Radio Compromise | Threat actors may target software defined radios due to their software nature to establish C2 channels. Since SDRs are programmable, when combined with supply chain or development environment attacks, SDRs provide a pathway to setup covert C2 channels for a threat actor. | |
| ATAGS-T1036 | Spacecraft Compromise | Threat actors may initially compromise a spacecraft in order to access the target Ground station. Once compromised, the threat actor can perform a multitude of initial access techniques, including replay, compromising FSW deployment, compromising encryption keys, and compromising authentication schemes. Threat actors may also perform further reconnaissance within the system to enumerate mission networks and gather information related to ground station logical topology, missions ran out of said ground station, and other mission system capabilities. | |
| ATAGS-T1037 | Supply Chain Compromise | Threat actors may manipulate or compromise products or product delivery mechanisms before the customer receives them in order to achieve data or system compromise. | |
| ATAGS-T1038 | Transient Cyber Asset | Threat actors may leverage compromised transient devices—such as field maintenance laptops, diagnostic tablets, or calibration equipment—to gain initial access to the isolated Ground Station OT network. Since these assets move between untrusted external networks (e.g., public internet) and the trusted facility network for maintenance tasks, they act as a physical bridge, introducing malware directly into the local control environment without traversing the external firewall. | |
| ATAGS-T1039 | Trusted Relationship Exploitation | Access through trusted third-party relationship exploits an existing connection that has been approved for interconnection. Leveraging third party / approved interconnections to pivot into the target systems is a common technique for threat actors as these interconnections typically lack stringent access control due to the trusted status. | |
| ATAGS-T1040 | Valid Accounts Exploitation | Threat actors may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Threat actors may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. | |
| ATAGS-T1041 | Wireless Compromise | Threat actors may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device. Threat actors may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance. | |