Walking through the compromise of a single ground station and space vehicle (SV) as well as their component devices certainly drives home the real threat at a system level. To further present just how impactful compromise of and via a SV can be, we will now proceed through a scenario that provides a macroanalysis of an example widespread and far-reaching space system compromise. The following will build on the walk-through before and reference some of the cyber techniques that were used and incorporate them at a higher level. This macroanalysis will not delve into as many technical details and is more aimed at tying together just how prolific space system compromises could be.
As a society we are continuously increasingly dependent on space systems to enable our day-to-day activities and communications. Military and governments as well as most industries rely on space systems, especially communication and positioning systems, and their operations would be crippled temporarily if not permanently if certain space systems were to fail. Imagine that the following is a cyber campaign by the same organization that attacked the school, leveraging lessons learned to go after a larger organization with multiple ground stations and multiple SVs. Additionally this space system has physically dispersed ground stations and separate organizations that conduct flight operations for the satelli;te and another which handles payload operations, each from their own sets of ground station sites.
Initial Ground Station
Once again, the initial foothold in the space system will be obtained through compromise of a ground station. In this situation I will give an example of how a ground station might be compromised directly and not involved multiple exploitations of personal devices to get to and maintain connectivity of a hacked ground station server.
How
Why
This implant allows the attacker constant communications to and from the ground station whenever necessary. This access will be used by the attacker to target the space system, upload malicious code and binaries, as well as exfiltrate data from the space system in a nearly undetectable manner.
Payload 1 Computer
This particular SV is a member of a mesh, and as such it has a payload that performs a mission such as imagery as well as a payload that enables communications across the mesh of SVs. The imaging payload will be referred to as payload 1 and similar to our microanalysis will be used as the initial target for exploitation via the compromised ground station. The attacker is also best served to go after the imaging payload computer since the compromised ground station belongs to the organization that tasks and operates the imaging payloads, not the one which flies the satellites and monitors telemetry.
How
Why
Using the infected tasking files to gain execution, the attackers can implant their malicious tools into the payload 1 computer and use it as a foothold for further situational awareness and exploitation within the SV.
Payload Ground Network
Now the attacker has initial access to the SV maintained. Communications from the attacker’s malware connect back from the SV during passes, through the implant on the ground station server and ultimately back to wherever the hacker is ultimately located.
How
Why
With access enabled to multiple ground stations operating the payloads, the attacker now has the ability to maintain separate lines of access to the SV. With more ground station access, the attacker will also have more numerous communications windows with the SV as it passes over the now numerous compromised ground sites operating and tasking the imaging payload. Additionally, it means that any malicious activities the attacker may conduct can affect a larger portion of the total space system.
Flight Computer
With more persistent access to the space system across the payload ground station, the attacker will turn to pivoting on to the flight computer.
How
Why
In this particular SV, the flight computer is actually a beefed-up version which not only handles telemetry and manipulating the SV flight hardware but also handles communications via the SDR and encryption to establish downlinks to the ground stations which actually fly the satellite.
Flight Ground Network
Just as the payload operations are conducted from a multitude of ground stations to support the mesh operations, so too do the flight operations. Flying a mesh of many satellites would require access via several physically diverse ground stations to maximize the utilization of and benefit from having many SVs in several orbital planes all running missions and downloading the resulting data. Making sure these satellites stay in the correct orbits and maximize persistence for the payload operations requires a network of ground stations performing flying the mesh.
How
Why
Access to the ground network used to fly the satellites will be more useful to the attackers as they consider performing attack actions on the mesh as the flight operators are more likely to be the ones trying to regain access to the SVs in the event of some cyber-induced effect. The added ground networks also give the attacker even more access to the compromised SV and added persistence.
Payload 2 Computer
While compromise of additional SVs is certainly possible from either of the compromised ground networks used for payload tasking and flight, the attackers want to explore attacking the mesh from space. To do this they need to gain access to payload 2 computer which operates the communications, routing, and switching of data across the mesh of SV crosslinks.
How
Why
This payload 2 computer will provide the final launch point from which the attacker will pivot into the other SVs within the mesh.
Mesh
Once the attacker has gained access to the payload 2 computer, it is time to explore options on how to proliferate access across the mesh. Infecting other SVs from the initially compromised one is valuable to an attacker for a couple reasons. First, the attacker may not have spread down to various ground stations as was done in our current scenario. This means that the attacker might not be able to gain access to many SVs as the ground station compromise may not get passes from many of the mesh SVs. Second, spreading across the mesh from SV to SV, if possible, is probably a stealthier option than compromising down to other ground stations and then back up to other SVs they see. This is because the ground stations have stronger security implementations, and the more infected files passed down to ground stations and attempted to go back up to other SVs increases the chances the attackers get caught.
How
Why
With the SVs, flight ground stations, and payload ground stations all compromised, an attacker could launch an attack to kill the entire space system in such a way that there is little or no ability for the operators to respond or recover. Using the same attack from the microanalysis example of disabling communications by attacking the SDR, the attacker could proliferate the attack binary and execute it in tandem on all SVs across the mesh. At the same time, repurposed ransomware akin to the WannaCrypt attack can be used to encrypt the hard drives of the computers in both the flight and payload operations’ ground networks. With no intention of unencrypting the hard drives or even receiving the ransomware payment, the attacker will set the space system organization down a rabbit chase, thinking they were only the victim of a terrestrial network attack. By the time they recovered their ground networks, it would become apparent that the entire mesh in space had gone dark.
Conclusion
While the scenario we just covered would require a lot of resources for an attacker to accomplish, it should certainly resonate as being within the realm of the possible. Given the likelihood that the actor conducting a cyber attack campaign against a space system is likely to be state sponsored, the attack scenario does not seem so far-fetched. As larger and larger satellite meshes and complex system of systems in space are operated, cybersecurity needs to implement from the ground up and from space down to prevent as much as possible widespread catastrophe such as we just walked through. Replacing a system in space takes years. Even if backups to the satellites in a mesh were sitting in warehouses, they would still need to get scheduled for launch, deployed in space, and maneuvered into required operational orbits. To improve space systems resiliency to such attacks, SVs, their components, and ground stations probably need to have a lower level of assumed trust of each other from a security standpoint than is currently likely to be implemented.