ATAGS Tactic: Exfiltration
| ID | Name | Description | |
| ATAGS-T1197 | Automated Exfiltration | Threat actors may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. | |
| .001 | Traffic Duplication | Threat Actors may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. | |
| ATAGS-T1198 | Data Transfer Size Limits | Threat actors may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts. | |
| ATAGS-T1199 | Exfiltration Over Alternative Protocol | Threat actors may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. | |
| .001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Threat Actors may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. | |
| .002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Threat Actors may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. | |
| .003 | Exfiltration Over Unencrypted Non-C2 Protocol | Threat Actors may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. | |
| ATAGS-T1200 | Exfiltration Over C2 Channel | Threat actors may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications. | |
| ATAGS-T1201 | Exfiltration Over Other Network Medium | Threat actors may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel. | |
| .001 | Exfiltration Over Bluetooth | Threat Actors may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel. | |
| ATAGS-T1202 | Exfiltration Over Payload Channel | Threat actors can deploy malicious software on the payload(s) which can send data through the payload channel. Payloads often have their own communication channels outside of the main TT&C pathway which presents an opportunity for exfiltration of payload data or other spacecraft data depending on the interface and data exchange. | |
| ATAGS-T1203 | Exfiltration Over Web Service | Threat actors may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services. | |
| .001 | Exfiltration to Code Repository | Threat Actors may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection. | |
| .002 | Exfiltration to Cloud Storage | Threat Actors may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet. | |
| .003 | Exfiltration to Text Storage Sites | Threat Actors may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as pastebin[.]com, are commonly used by developers to share code and other information. | |
| .004 | Exfiltration Over Webhook | Threat Actors may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server to push data over HTTP/S to a client without the need for the client to continuously poll the server. Many public and commercial services, such as Discord, Slack, and webhook.site, support the creation of webhook endpoints that can be used by other services, such as Github, Jira, or Trello. When changes happen in the linked services (such as pushing a repository update or modifying a ticket), these services will automatically post the data to the webhook endpoint for use by the consuming application. | |
| ATAGS-T1204 | Modify Communications Configuration | Threat actors can manipulate communications equipment, modifying the existing software, hardware, or the transponder configuration to exfiltrate data via unintentional channels the mission has no control over. | |
| .001 | Software Defined Radio | Threat actors may target software defined radios due to their software nature to setup exfiltration channels. Since SDRs are programmable, when combined with supply chain or development environment attacks, SDRs provide a pathway to setup covert exfiltration channels for a threat actor. | |
| .002 | Transponder | Threat actors may change the transponder configuration to exfiltrate data via radio access to an attacker-controlled asset. | |
| ATAGS-T1205 | Physical Layer Exfiltration | Threat actors can exfiltrate data modifying the RF or optical communication components to send data with a different timing (and location), or with different frequencies. Antenna array can be used to send data into different beams. | |
| ATAGS-T1206 | Replay Exfiltration | Threat actors may replay valid downlink commands to the spacecraft when it is passing over Threat actors-controlled ground station (or a compromised commercial station), forcing the satellite to transmit sensitive telemetry or payload data to an unauthorized location. | |
| ATAGS-T1207 | Scheduled Transfer | Threat actors may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability. | |
| ATAGS-T1208 | Side-Channel Exfiltration | Threat actors can exfiltrate data with a side-channel attack. A series of measurements of a side-channel constitute an identifiable signature which can then be matched against a signature database to identify target information, without having to explicitly decode the side-channel. | |
| .001 | Power Analysis Attacks | Threat actors can analyze power consumption on-board the spacecraft to exfiltrate information. In power analysis attacks, the threat actor studies the power consumption of devices, especially cryptographic modules. Power analysis attacks require close proximity to a sensor node, such that a threat actor can measure the power consumption of the sensor node. There are two types of power analysis, namely simple power analysis (SPA) and differential power analysis (DPA). In differential power analysis, the threat actor studies the power analysis and is able to apply mathematical and statistical principles to determine the intermediate values. | |
| .002 | Electromagnetic Leakage Attacks | Threat actors can leverage electromagnetic emanations to obtain sensitive information. The electromagnetic radiations attain importance when they are hardware generated emissions, especially emissions from the cryptographic module. Electromagnetic leakage attacks have been shown to be more successful than power analysis attacks on chicards. If proper protections are not in place on the spacecraft, the circuitry is exposed and hence leads to stronger emanations of EM radiations. If the circuitry is exposed, it provides an easier environment to study the electromagnetic emanations from each individual component. | |
| .003 | Traffic Analysis Attacks | In a terrestrial environment, threat actors use traffic analysis attacks to analyze traffic flow to gather topological information. This traffic flow can divulge information about critical nodes, such as the aggregator node in a sensor network. | |
| .004 | Timing Attacks | Threat actors can leverage timing attacks to exfiltrate information due to variances in the execution timing for different sub-systems in the ground station (i.e., cryptosystem). | |
| ATAGS-T1209 | Transfer Data to Cloud Account | Threat actors may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service. | |