Skip to content

SC-061: Satellite Communication Hijacking

Scenario Overview

This scenario follows the advanced persistent threat group "ORBITAL PHANTOM" as they compromise the ground station infrastructure of StellarComm Global, a commercial satellite operator providing maritime and aviation communication services across the Atlantic and Indo-Pacific regions. The attackers infiltrate the satellite operator's supply chain, planting a firmware implant in a scheduled ground station antenna controller update. Once active, the implant enables RF signal manipulation, command injection into ground-to-space protocols, and ultimately the interception and modification of maritime distress signals, aviation position reports, and encrypted government backhaul traffic routed through StellarComm's constellation.

Environment: StellarComm Global ground station network (5 stations globally); satellite constellation "ATLAS" (12 LEO/MEO satellites); uplink/downlink at 10.50.0.0/16; corporate IT at 10.60.0.0/16 Initial Access: Supply chain compromise — firmware implant in antenna controller update from vendor "Meridian Avionics" (T1195.002) Impact: Interception of maritime/aviation comms, manipulation of ADS-B position data, degraded GMDSS distress relay Difficulty: Advanced (requires RF engineering, orbital mechanics, and space protocol expertise) Sector: Aerospace, Maritime, Defense

Threat Actor Profile

ORBITAL PHANTOM is a nation-state-aligned APT group specializing in space systems and satellite infrastructure. The group has been active since approximately 2021, with previous campaigns targeting European Space Agency contractors and Indo-Pacific maritime surveillance systems. ORBITAL PHANTOM demonstrates deep knowledge of space communication protocols (CCSDS, DVB-S2, AIS), RF engineering, and ground station architectures. The group operates on long timelines, with reconnaissance phases lasting 6-12 months before operational deployment.

Motivation: Strategic intelligence — interception of maritime shipping routes, aviation tracking, and government satellite backhaul Capability: Very High — custom RF manipulation tools, orbital mechanics modeling, space protocol expertise Target Sectors: Aerospace, Defense, Maritime, Telecommunications Attribution Confidence: Moderate — tooling overlaps with "COSMO BEAR" campaigns; shared C2 infrastructure at 203.0.113.0/24 Estimated Resources: 20-30 operators; dedicated RF lab; access to software-defined radio (SDR) arrays

Space Systems Threat Context

Satellite communication systems present unique attack surfaces:

  • Ground stations are the most accessible component — they run conventional IT/OT systems with RF front-ends
  • Supply chain for space-grade components is narrow and specialized, making targeted implants highly effective
  • RF links between ground and space can be jammed, spoofed, or intercepted with sufficient signal engineering
  • Space protocols (CCSDS, TM/TC) were designed for reliability, not security — many lack authentication or encryption
  • Orbital mechanics constrain attack windows: satellite visibility from a ground station follows predictable pass schedules
  • Dual-use infrastructure: commercial satellites often carry government/military traffic via hosted payloads

Attack Timeline

Timestamp (UTC) Phase Action
2025-06-15 Reconnaissance ORBITAL PHANTOM maps StellarComm Global's supply chain; identifies Meridian Avionics as antenna controller vendor
2025-07-20 Supply Chain Access Compromise of Meridian Avionics build server (build.meridian-avionics.example.com) via spearphishing
2025-08-10 Implant Development Firmware implant "STARSHADE" developed and tested against antenna controller emulator
2025-09-01 Supply Chain Injection STARSHADE implant injected into firmware update package v4.7.2 for ACU-9000 antenna controller
2025-09-15 Distribution Trojanized firmware distributed to StellarComm via normal vendor update channel
2025-10-01 08:00:00 Installation StellarComm deploys firmware v4.7.2 across 3 of 5 ground stations (Guam, Perth, Azores)
2025-10-01 08:30:00 Activation STARSHADE implant activates; establishes covert C2 via DNS over satellite backhaul
2025-10-02 02:00:00 Discovery Implant enumerates ground station network topology, satellite pass schedules, frequency plans
2025-10-05 14:00:00 Credential Harvesting Keylogger captures Satellite Operations Center (SOC) credentials for TT&C system
2025-10-10 03:00:00 Lateral Movement Pivot from antenna controller VLAN (10.50.10.0/24) to TT&C system (10.50.20.0/24)
2025-10-15 06:00:00 Signal Intelligence Begin passive interception of maritime AIS and aviation ADS-B traffic on L-band downlinks
2025-10-20 12:00:00 Active Manipulation Inject modified AIS position data for 3 cargo vessels transiting South China Sea
2025-11-01 09:00:00 GMDSS Interference Degrade Global Maritime Distress and Safety System relay causing 47-minute gap in coverage
2025-11-05 15:00:00 Government Backhaul Access encrypted government communications backhaul; exfiltrate metadata and traffic analysis
2025-11-10 04:00:00 Detection StellarComm NOC detects anomalous antenna pointing commands during scheduled maintenance window

Technical Analysis

Phase 1: Supply Chain Compromise (T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain)

ORBITAL PHANTOM compromised Meridian Avionics, a specialized manufacturer of satellite ground station antenna control units (ACUs). The attackers gained access to the firmware build server through a targeted spearphishing campaign against Meridian's embedded systems engineering team.

# Reconnaissance of Meridian Avionics supply chain relationship
# ORBITAL PHANTOM OSINT collection (reconstructed from threat intel)

# Identified via StellarComm's public procurement records:
# Contract #SC-2024-0847: "ACU-9000 Antenna Controller Maintenance and Firmware Updates"
# Vendor: Meridian Avionics (meridian-avionics.example.com)
# Contact: embedded-support@meridian-avionics.example.com

# Spearphishing lure targeting Meridian firmware engineer:
# Subject: "URGENT: ACU-9000 Field Failure Report — Antenna Pointing Anomaly"
# Attachment: ACU9000_Field_Report_2025-07.pdf.exe (STARSHADE dropper)
# From: stellarcomm-noc@stellarcomm-support.example.com (spoofed)

# Build server compromise (build.meridian-avionics.example.com):
# 1. Spearphishing → workstation of firmware engineer
# 2. Credential theft → SSH keys for build server
# 3. Build pipeline modification → inject STARSHADE into firmware image
# 4. Code signing — reused Meridian's legitimate signing certificate

Phase 2: Firmware Implant — STARSHADE (T1542.001 — Pre-OS Boot: System Firmware)

The STARSHADE implant was designed specifically for the ACU-9000 antenna controller, which runs a real-time operating system (RTOS) on an ARM Cortex-R5 processor. The implant hooks into the antenna pointing and RF chain control functions.

# STARSHADE implant architecture (reverse-engineered from memory dump)
# Target: ACU-9000 Antenna Controller (ARM Cortex-R5, VxWorks 7.x RTOS)
# Size: 47 KB (injected into unused firmware flash region)
# Persistence: Survives firmware re-flash if factory reset not performed

# Capabilities:
# 1. RF_INTERCEPT  — Mirror downlink RF data to secondary processing chain
# 2. RF_INJECT     — Insert crafted frames into uplink/downlink streams
# 3. POINT_MODIFY  — Subtly alter antenna pointing angles (±0.02°)
# 4. C2_BACKHAUL   — DNS-over-satellite covert channel for command/control
# 5. KEYLOG        — Capture serial console input to antenna controller
# 6. NETPIVOT      — Bridge antenna controller VLAN to TT&C network

# Activation sequence (from firmware analysis):
# 1. Check system clock > 2025-10-01T00:00:00Z (delayed activation)
# 2. Verify ground station ID matches target list (Guam, Perth, Azores)
# 3. Generate unique implant ID from hardware serial number
# 4. Establish C2 via DNS TXT queries to orbital-telemetry.example.com
# 5. Await operator commands via encrypted DNS responses

# Anti-forensics:
# - Operates entirely in RTOS memory; minimal flash writes
# - C2 traffic mimics legitimate DNS queries for NTP and firmware update checks
# - Activity windows aligned with satellite pass schedules (appears normal)

Phase 3: Ground Station Network Discovery (T1046, T1018)

Once activated, STARSHADE mapped the ground station network architecture, identifying critical systems for lateral movement.

# Ground station network topology discovered by STARSHADE
# (Reconstructed from implant log files)

# VLAN 10 — Antenna Control (10.50.10.0/24)
#   10.50.10.1   ACU-9000-PRIMARY   (COMPROMISED — STARSHADE active)
#   10.50.10.2   ACU-9000-BACKUP    (standby controller)
#   10.50.10.10  RF-SWITCH-01       (L/S/C/Ku-band RF switching matrix)
#   10.50.10.11  LNA-CTRL-01        (Low Noise Amplifier controller)
#   10.50.10.20  FREQ-SYNTH-01      (Frequency synthesizer / local oscillator)

# VLAN 20 — Telemetry, Tracking & Command (10.50.20.0/24)
#   10.50.20.1   TTC-PRIMARY        (Satellite TT&C workstation)
#   10.50.20.2   TTC-BACKUP         (Redundant TT&C)
#   10.50.20.10  CCSDS-GW-01        (CCSDS gateway — space-ground protocol)
#   10.50.20.20  ORBIT-DET-01       (Orbit determination system)

# VLAN 30 — Payload Processing (10.50.30.0/24)
#   10.50.30.1   DEMUX-01           (Downlink demultiplexer)
#   10.50.30.10  AIS-PROC-01        (AIS data processor)
#   10.50.30.11  ADSB-PROC-01       (ADS-B data processor)
#   10.50.30.20  CRYPTO-HSM-01      (HSM for government traffic decryption keys)

# VLAN 40 — Corporate IT (10.60.0.0/16) — air-gapped from ground station (bypassed)
#   10.60.1.1    DC-01.stellarcomm.example.com   (Domain Controller)
#   10.60.1.10   MAIL-01.stellarcomm.example.com (Exchange Server)

# STARSHADE bridged VLAN 10 → VLAN 20 via serial maintenance port on ACU-9000
# The antenna controller has a diagnostic serial interface that connects to the
# TT&C network for health monitoring — STARSHADE exploited this trusted path

Phase 4: Credential Harvesting and TT&C Access (T1056.001, T1078)

# Keylogger output from ACU-9000 serial console (STARSHADE capture)
# Operator login to TT&C system during satellite pass

[2025-10-05 14:22:31 UTC] SERIAL_CAPTURE:
> connect ttc-primary.gs-guam.stellarcomm.example.com
> login: sat_operator_guam
> password: St3ll@r_Gu@m_2025!     ← CAPTURED (synthetic credential)
> CCSDS-GW> show satellite-passes --next 24h
>   ATLAS-03  AOS: 14:45 UTC  LOS: 15:02 UTC  Max El: 72°
>   ATLAS-07  AOS: 16:30 UTC  LOS: 16:48 UTC  Max El: 45°
>   ATLAS-11  AOS: 19:15 UTC  LOS: 19:28 UTC  Max El: 61°

# Lateral movement to TT&C system using captured credentials
# STARSHADE used serial bridge to access TT&C VLAN
[2025-10-10 03:15:00 UTC] SSH session established:
> ssh sat_operator_guam@10.50.20.1
> CCSDS-GW> show transponder-config ATLAS-03
>   L-band downlink: 1545.500 MHz (AIS/ADS-B)
>   C-band uplink:   6425.000 MHz (TT&C)
>   Ku-band:         12750.000 MHz (broadband payload)
>   Government hosted payload: CLASSIFIED — HSM-protected

# Enumeration of satellite command authority
> CCSDS-GW> show user-privileges sat_operator_guam
>   TT&C Commands:     READ/EXECUTE (health, housekeeping, orbit maneuver)
>   Payload Commands:  READ (downlink monitoring only)
>   Emergency Commands: EXECUTE (safe mode, frequency hop)

Phase 5: Signal Intelligence — Passive Interception (T1040, T1557)

ORBITAL PHANTOM configured STARSHADE to mirror L-band downlink data, capturing maritime AIS and aviation ADS-B traffic processed by the ground station.

# STARSHADE RF interception configuration
# Mirror L-band downlink (1545.5 MHz) to secondary processing chain

# AIS (Automatic Identification System) interception
# Maritime vessel tracking data — unencrypted by design
[2025-10-15 06:30:00 UTC] AIS_INTERCEPT:
  MMSI: 123456789  Vessel: MV PACIFIC TRADER  Flag: SYNTHETIC
  Position: 14.5123°N, 120.9876°E  Course: 225°  Speed: 14.2 kts
  Destination: SINGAPORE  ETA: 2025-10-18
  Cargo: Container — 4,200 TEU

  MMSI: 987654321  Vessel: MV ATLANTIC SPIRIT  Flag: SYNTHETIC
  Position: 38.7654°N, 28.1234°W  Course: 090°  Speed: 18.7 kts
  Destination: ROTTERDAM  ETA: 2025-10-22
  Cargo: Crude Oil — 280,000 DWT

# ADS-B (Automatic Dependent Surveillance-Broadcast) interception
# Aviation position data — unencrypted by protocol design
[2025-10-15 07:00:00 UTC] ADSB_INTERCEPT:
  ICAO: A1B2C3  Callsign: SYNTH401  Aircraft: B777-300ER
  Position: 22.3456°N, 145.6789°E  Altitude: FL380  Speed: 485 kts
  Route: RJTT → WSSS (Tokyo → Singapore)

# Government backhaul — encrypted but metadata visible
[2025-10-15 08:00:00 UTC] GOV_BACKHAUL_META:
  Source: CRYPTO-HSM-01 (10.50.30.20)
  Channel: Ku-band transponder 7 (12750.250 MHz)
  Encryption: AES-256-GCM (HSM-managed keys — not compromised)
  Traffic volume: 2.4 Gbps sustained
  Metadata captured: timing, volume, source/destination ground stations
  Content: ENCRYPTED — unable to decrypt without HSM key material

Phase 6: Active Signal Manipulation — AIS Spoofing (T1565.002, T1498)

ORBITAL PHANTOM escalated from passive interception to active manipulation, injecting forged AIS position data to create "ghost" vessels and modify the apparent positions of real ships.

# AIS injection via STARSHADE RF_INJECT capability
# Spoofed AIS messages injected into L-band uplink

[2025-10-20 12:00:00 UTC] AIS_INJECT command received via C2:
  Target: South China Sea shipping lanes
  Operation: Create 3 ghost vessels in contested waters

# Ghost vessel injection
INJECT_AIS_MSG type=1 mmsi=100000001 \
  lat=16.0000 lon=112.5000 course=180 speed=8.5 \
  vessel_name="PHANTOM_ECHO_1" ship_type=70 \
  destination="DA NANG" status=0

INJECT_AIS_MSG type=1 mmsi=100000002 \
  lat=15.8000 lon=112.7000 course=225 speed=12.0 \
  vessel_name="PHANTOM_ECHO_2" ship_type=80 \
  destination="SINGAPORE" status=0

INJECT_AIS_MSG type=1 mmsi=100000003 \
  lat=16.2000 lon=112.3000 course=045 speed=6.2 \
  vessel_name="PHANTOM_ECHO_3" ship_type=70 \
  destination="HONG KONG" status=0

# Position manipulation of real vessel
# Shift apparent position of MV PACIFIC TRADER by 12 nautical miles
MODIFY_AIS_MSG mmsi=123456789 \
  lat_offset=+0.2000 lon_offset=-0.1500 \
  # Shifted from actual 14.5123°N to apparent 14.7123°N
  # Creates collision risk assessment errors for nearby vessels

Phase 7: GMDSS Interference (T1499, T1498.001)

The most dangerous phase involved degrading the Global Maritime Distress and Safety System (GMDSS) relay through the ATLAS constellation.

# GMDSS interference via antenna pointing manipulation
# STARSHADE POINT_MODIFY capability — subtle antenna mispointing

[2025-11-01 09:00:00 UTC] GMDSS_DEGRADE operation:
  Target: ATLAS-03 GMDSS relay transponder
  Method: Introduce 0.015° pointing error on receive antenna
  Effect: 3.2 dB signal degradation on 1544.0 MHz (EPIRB/distress)
  Duration: 47 minutes (aligned with ATLAS-03 coverage gap over Indian Ocean)

# Pointing modification command (via compromised TT&C credentials)
> CCSDS-GW> modify-pointing ATLAS-03 \
>   el_offset=+0.008 az_offset=+0.012 \
>   duration=2820s \
>   reason="thermal_compensation_adjustment"  # Legitimate-appearing justification

# Impact assessment (post-incident analysis):
# - 47-minute gap in GMDSS distress relay coverage
# - Area affected: ~2.1 million sq km of Indian Ocean
# - 3 EPIRB distress beacons transmitted during gap
# - 2 received by alternate COSPAS-SARSAT satellites (delayed 12 min)
# - 1 beacon relay delayed by 47 minutes (vessel MV OCEAN HOPE)
# - No casualties resulted, but Coast Guard response delayed significantly

Phase 8: Government Traffic Analysis (T1005, T1020)

# Traffic analysis of encrypted government backhaul
# While content was HSM-encrypted, metadata provided intelligence value

[2025-11-05 15:00:00 UTC] GOV_TRAFFIC_ANALYSIS:
  Collection period: 2025-10-15 to 2025-11-05 (21 days)

  Patterns identified:
  1. Traffic volume spike 06:00-08:00 UTC daily
     → Correlates with Pacific Command morning briefing cycle
  2. Burst transmissions at irregular intervals (avg 4.7/day)
     → Likely tactical communications or intelligence reports
  3. Ground station routing changes:
     → Perth station handles 68% of government traffic
     → Guam station handles 27% (primarily Pacific)
     → Azores station handles 5% (Atlantic relay)

  Exfiltration via C2:
  - 340 MB of traffic metadata exfiltrated over 21 days
  - DNS-over-satellite covert channel: 2.3 KB per DNS query
  - Exfiltration rate: ~16 MB/day (within normal DNS query volume)

  C2 infrastructure:
  - Primary: orbital-telemetry.example.com (203.0.113.50)
  - Fallback: sat-status-check.example.com (203.0.113.51)
  - Emergency: firmware-update.example.com (203.0.113.52)

Detection Opportunities

SIEM Detection Queries

KQL — Antenna Pointing Anomalies

// Detect unusual antenna pointing modifications outside maintenance windows
let MaintenanceWindows = dynamic(["Sunday 02:00-06:00", "Wednesday 02:00-04:00"]);
GroundStationTelemetry
| where TimeGenerated > ago(24h)
| where EventType == "POINTING_MODIFY"
| where not(dayofweek(TimeGenerated) in (0, 3) and
        hourofday(TimeGenerated) between (2 .. 6))
| where abs(ElevationOffset) > 0.005 or abs(AzimuthOffset) > 0.005
| project TimeGenerated, GroundStation, SatelliteID,
          ElevationOffset, AzimuthOffset, Operator, Reason
| join kind=leftouter (
    ChangeManagement
    | where Category == "Antenna" and Status == "Approved"
) on $left.TimeGenerated == $right.ScheduledTime
| where isempty(ScheduledTime)  // No approved change ticket
| extend AlertSeverity = "High"

KQL — DNS-over-Satellite Covert Channel

// Detect anomalous DNS query patterns from ground station infrastructure
DnsEvents
| where TimeGenerated > ago(24h)
| where Computer startswith "ACU-" or Computer startswith "RF-"
| where QueryType == "TXT"
| summarize QueryCount = count(),
            UniqueDomainsQueried = dcount(Name),
            AvgQuerySize = avg(QueryLength),
            TotalResponseBytes = sum(ResponseLength)
            by Computer, bin(TimeGenerated, 1h)
| where QueryCount > 50 or AvgQuerySize > 200 or UniqueDomainsQueried > 20
| extend AlertSeverity = iff(QueryCount > 200, "Critical", "High")

KQL — AIS Data Integrity Anomalies

// Detect injected or modified AIS messages
AISProcessor
| where TimeGenerated > ago(24h)
| summarize PositionCount = count(),
            AvgSpeed = avg(Speed_kts),
            MaxSpeed = max(Speed_kts),
            PositionJumps = countif(DistanceFromLast_nm > 50)
            by MMSI, bin(TimeGenerated, 1h)
| where PositionJumps > 0 or MaxSpeed > 45  // Impossible speed for cargo vessel
| join kind=inner (
    AISProcessor
    | where TimeGenerated > ago(24h)
    | summarize arg_min(TimeGenerated, *) by MMSI
    | where MMSI between (100000000 .. 100000099)  // Suspicious MMSI range
) on MMSI
| extend AlertSeverity = "Critical"

SPL — Firmware Update Integrity Monitoring

index=ground_station sourcetype=firmware_management
| where action="firmware_install"
| eval expected_hash=case(
    firmware_version="4.7.2", "a3b2c1d4e5f6...",
    firmware_version="4.7.1", "f6e5d4c3b2a1...",
    true(), "UNKNOWN")
| where installed_hash != expected_hash
| table _time, ground_station, device, firmware_version,
        installed_hash, expected_hash, installer_user
| sort -_time

SPL — Satellite TT&C Unauthorized Access

index=ground_station sourcetype=ttc_audit
| where action IN ("login", "command_execute", "config_change")
| eval is_maintenance_window=if(
    date_wday IN ("sunday", "wednesday") AND
    date_hour >= 2 AND date_hour <= 6, 1, 0)
| where is_maintenance_window=0
| eval risk_score=case(
    action="config_change" AND command_type="pointing", 95,
    action="config_change" AND command_type="frequency", 90,
    action="command_execute" AND command_type="emergency", 85,
    action="login" AND src_vlan="antenna_control", 80,
    true(), 50)
| where risk_score > 70
| table _time, user, src_ip, src_vlan, action, command_type,
        satellite_id, risk_score
| sort -risk_score

Log Sources

Log Source Value Collection Method
Antenna Controller Logs Pointing commands, firmware status, diagnostic output Serial-to-syslog
TT&C System Audit Logs Satellite command history, operator authentication Syslog/SNMP
RF Spectrum Monitoring Signal anomalies, unexpected transmissions SDR-based IDS
AIS/ADS-B Processor Logs Message integrity, position validation Application log
DNS Query Logs Covert channel detection on ground station networks DNS server logs
Firmware Management System Update deployments, hash verification SIEM integration
Network Flow Data Cross-VLAN traffic, unusual serial port activity NetFlow/IPFIX
GMDSS Performance Metrics Distress relay timing, signal quality measurements SNMP/telemetry

Indicators of Compromise

IOC Type Value Context
Domain orbital-telemetry.example.com STARSHADE C2 primary
Domain sat-status-check.example.com STARSHADE C2 fallback
Domain firmware-update.example.com STARSHADE C2 emergency
IP 203.0.113.50 C2 server primary
IP 203.0.113.51 C2 server fallback
IP 203.0.113.52 C2 server emergency
SHA256 e4a7b3c1d2f5e6a7b8c9d0e1f2a3b4c5d6e7f8a9 STARSHADE firmware implant
Firmware Version ACU-9000 v4.7.2 (trojanized) Compromised firmware build
MMSI Range 100000001-100000003 Ghost vessel AIS identifiers
DNS Pattern TXT queries > 200 bytes from RTOS devices Covert channel signature
Pointing Anomaly ±0.008-0.015° offset without change ticket STARSHADE antenna manipulation

MITRE ATT&CK Mapping

Tactic Technique ID Technique Name Scenario Phase
Initial Access T1195.002 Supply Chain Compromise: Compromise Software Supply Chain Meridian Avionics firmware implant
Execution T1542.001 Pre-OS Boot: System Firmware STARSHADE implant in RTOS
Persistence T1542.001 Pre-OS Boot: System Firmware Firmware-level persistence
Discovery T1046 Network Service Scanning Ground station network mapping
Discovery T1018 Remote System Discovery VLAN enumeration
Credential Access T1056.001 Input Capture: Keylogging Serial console credential capture
Lateral Movement T1078 Valid Accounts TT&C system access with stolen creds
Collection T1040 Network Sniffing RF signal interception
Collection T1557 Adversary-in-the-Middle AIS/ADS-B data interception
Collection T1005 Data from Local System Government traffic metadata
Exfiltration T1048.003 Exfiltration Over Alternative Protocol: DNS DNS-over-satellite covert channel
Impact T1565.002 Data Manipulation: Transmitted Data Manipulation AIS position spoofing
Impact T1499 Endpoint Denial of Service GMDSS relay degradation

Impact Assessment

Category Impact
Maritime Safety 47-minute GMDSS distress relay gap; 3 EPIRB beacons delayed
Aviation Safety ADS-B position data integrity compromised for Atlantic/Pacific routes
Intelligence 21 days of government traffic metadata exfiltrated
Commercial AIS spoofing created false collision risk assessments for 3 vessels
Supply Chain Meridian Avionics firmware supply chain compromised for 3 ground stations
National Security Government satellite backhaul traffic patterns revealed
Regulatory ITU radio regulations violated; ICAO/IMO safety standards breached

Response Playbook

Immediate Containment (0-4 hours)

  1. Isolate compromised ground stations — disconnect Guam, Perth, and Azores stations from corporate network; maintain satellite links via backup manual control
  2. Revoke all TT&C credentials — force password reset for all satellite operations personnel; disable compromised accounts immediately
  3. Enable RF spectrum monitoring — deploy software-defined radio monitoring at all ground stations to detect active signal injection
  4. Activate backup ground stations — route critical satellite traffic (GMDSS, government backhaul) through uncompromised stations
  5. Notify authorities — contact national space agency, CERT, and relevant military/intelligence organizations; GMDSS disruption requires IMO notification

Eradication (4-72 hours)

  1. Firmware forensic analysis — extract and analyze ACU-9000 firmware from all ground stations; identify STARSHADE implant signatures
  2. Factory reset antenna controllers — reflash ACU-9000 units with verified clean firmware (v4.7.1) obtained directly from Meridian Avionics (after vendor compromise assessment)
  3. DNS sinkhole C2 domains — sinkhole orbital-telemetry.example.com, sat-status-check.example.com, firmware-update.example.com
  4. Vendor supply chain audit — work with Meridian Avionics to identify compromise timeline, affected builds, and other customers who received trojanized firmware
  5. TT&C system rebuild — rebuild telemetry, tracking, and command systems from known-good images; rotate all cryptographic keys

Recovery (72 hours - 2 weeks)

  1. Validate satellite health — confirm no unauthorized commands were sent to ATLAS constellation; verify orbital parameters and transponder configurations
  2. AIS/ADS-B data audit — review historical data for evidence of injection or manipulation; notify affected maritime and aviation authorities
  3. Restore ground station operations — bring stations back online with enhanced monitoring, network segmentation, and firmware integrity verification
  4. Implement continuous RF monitoring — deploy permanent SDR-based intrusion detection at all ground stations
  5. Supply chain security hardening — implement firmware signing with organization-controlled keys, independent hash verification, and build process attestation

Lessons Learned

What Could Have Prevented This

  1. Independent firmware verification — StellarComm relied solely on vendor-provided firmware hashes; independent binary analysis or reproducible builds would have detected the implant
  2. Ground station network segmentation — the serial diagnostic port bridging antenna controller and TT&C VLANs created an unmonitored lateral movement path
  3. RF anomaly detection — no software-defined radio monitoring was deployed to detect signal injection or unauthorized transmissions
  4. AIS/ADS-B integrity validation — no cross-referencing of satellite-received AIS data against shore-based radar or multi-source position data
  5. TT&C command authentication — satellite commands relied on operator credentials without multi-person authorization or hardware token requirements
  6. Supply chain security assessment — Meridian Avionics was not assessed for cybersecurity posture despite providing critical firmware

Control Gaps

Gap Recommended Control Priority
Firmware supply chain integrity Independent binary analysis + reproducible builds Critical
Ground station segmentation Eliminate serial bridge; enforce hardware-level VLAN isolation Critical
RF environment monitoring Deploy SDR-based IDS at all ground stations High
TT&C multi-person authorization Require dual-authorization for pointing and frequency commands High
AIS data cross-validation Multi-source position verification (satellite + radar + AIS) High
DNS monitoring on OT networks Deploy DNS logging and anomaly detection on all ground station VLANs Medium
Vendor security requirements Include cybersecurity clauses in procurement contracts Medium

Discussion Questions

  1. Satellite ground stations straddle IT and OT domains, with RF systems, real-time operating systems, and conventional networks coexisting. How should organizations approach security architecture for these hybrid environments, and what lessons from ICS/SCADA security apply?

  2. The STARSHADE implant was delivered through a legitimate vendor's firmware update channel. What verification mechanisms would detect a supply chain compromise when the vendor's own signing keys are used to sign the trojanized firmware?

  3. AIS and ADS-B are inherently unencrypted protocols designed for safety-of-life applications. How should the international community balance the transparency needed for maritime and aviation safety with the security risks of unencrypted broadcast?

  4. The 47-minute GMDSS distress relay gap could have resulted in loss of life. How should organizations prioritize cybersecurity for safety-of-life satellite services, and what redundancy mechanisms should be mandated?

  5. ORBITAL PHANTOM's traffic analysis of encrypted government communications — extracting intelligence from metadata without breaking encryption — demonstrates that encryption alone is insufficient. What additional protections should be applied to sensitive satellite backhaul?

  6. The attack exploited the narrow supply chain for space-grade components. With few manufacturers of specialized satellite equipment, how can the space industry mitigate the concentrated supply chain risk?

Purple Team Exercise Reference

  • Purple Team Exercise Library — Supply chain and OT/ICS exercises
  • PT-091 through PT-100: OT/ICS attack simulation exercises
  • PT-121 through PT-130: Supply chain attack exercises

Cross-References