Every spacecraft communicates with the ground via radio frequency links, TT&C (Telemetry, Tracking, and Command) uplinks and downlinks. These links are the spacecraft's lifeline: they carry the commands that control every subsystem, from attitude control to propulsion. An adversary who can transmit commands to a spacecraft, or intercept its telemetry, has effectively gained control of a multi-million-pound asset in orbit. SPARTA techniques IA-0007 (Rogue Ground Station) and IA-0009 (Radio Frequency Attacks) describe exactly how this is done.
A rogue ground station attack involves an adversary establishing an unauthorised ground station capable of transmitting commands to the target spacecraft. Sub-technique IA-0007/01 describes the rogue uplink transmitting malicious commands on the spacecraft's command frequency. Sub-technique IA-0007/02 describes replay attacks, capturing legitimate command sequences and replaying them at a later time (also SPARTA EX-0006).
The barrier to entry is lower than most people assume. Software-defined radios (SDRs) capable of transmitting on satellite frequencies are commercially available for under £500. The primary defence is cryptographic command authentication; without it, any sufficiently powerful transmitter can send commands to a spacecraft.
RF attacks comprise three sub-techniques with distinct characteristics.
IA-0009/01 — Jamming: Overwhelming the spacecraft's receiver with noise, preventing legitimate commands from being received. This is SPARTA IMP-0003 (Denial) via the link segment. A jammer does not need to know anything about the target system; it simply overwhelms the receiver.
IA-0009/02 — Spoofing: Transmitting false signals that the spacecraft (or ground receiver) accepts as legitimate. GPS spoofing is the most well-known example; adversaries transmit false GPS signals to cause navigation errors. More sophisticated spoofing attacks can gradually shift a receiver's position estimate, causing it to accept false commands or navigate to incorrect locations.
IA-0009/03 — Eavesdropping (SPARTA EXF-0001 — Downlink Interception): Intercepting downlink telemetry to gather intelligence about the spacecraft's state, mission data, or cryptographic material. An adversary intercepting unencrypted telemetry gains detailed knowledge of the spacecraft's operational state, invaluable for planning further attacks.
RF attacks against space systems are not theoretical. GPS jamming in Ukraine has been continuous since February 2022, affecting military and civilian navigation across the conflict zone and neighbouring NATO countries. GPS spoofing in the Black Sea has caused ships to report false positions since 2017, dramatically escalating since 2022. A January 2026 Space Review analysis documented commercial satellite networks experiencing jamming, spoofing, and cyber attacks as a standard mode of modern warfare. RUSI's April 2022 analysis documented Viasat as the primary example of the convergence of cyber and RF attacks against satellite communications.
Without cryptographic command authentication, any transmitter can send commands to a spacecraft. This is not a theoretical risk, it is a documented attack vector (IA-0007) that requires a specific technical control to mitigate.
The SPARTA countermeasure is unambiguous: implement authenticated command uplinks using asymmetric cryptography. The CCSDS (Consultative Committee for Space Data Systems) Space Data Link Security (SDLS) protocol provides a standardised approach to securing space data links. Key management is as important as the cryptography itself. SPARTA Indicators of Behaviour for cryptographic compromise include repeated use of cryptographic keys from unusual locations, use of old or rotated keys, and unexpected changes to encryption configuration settings.
SPARTA Indicators of Behaviour for RF attacks include: unauthorised CLTU-START, STOP, or UNBIND from unauthorised users or rogue IPs; telecommand format tampering in CLTU-TRANSFER_DATA; unauthorised crosslink commands at unexpected times; and duplicate command packet executions (a replay attack indicator). Ground station monitoring for anomaly detection on command logs and frequency monitoring for unauthorised transmissions provides an additional detection layer. Response protocols should include safe mode activation procedures and command inhibit capabilities.
The RF link is the most direct path to spacecraft control — and it is accessible to any adversary with the right equipment. Cryptographic command authentication is not optional for any mission with national security implications. The CCSDS SDLS protocol exists precisely to address this threat. The question is whether it has been implemented.
Periculo provides Space Systems Threat Modelling services, including assessment of RF link security and SPARTA IA-0007/IA-0009 exposure. Contact us about Threat Modelling.