---

title: SCOR Incidents description: Informative galaxy: an authoritative reference to known space cybersecurity incidents relevant to converged platforms, each carrying a confidence score (meta.confidence, 1-10) and its basis (meta.confidence-basis). Primarily an upskilling resource. Relationships to TENs, Exposure Domains, Detection Signatures, and Resilience Measures are created by analysts in MISP, not precalculated here.

---

Hide Navigation Hide TOC

Edit

SCOR Incidents

Informative galaxy: an authoritative reference to known space cybersecurity incidents relevant to converged platforms, each carrying a confidence score (meta.confidence, 1-10) and its basis (meta.confidence-basis). Primarily an upskilling resource. Relationships to TENs, Exposure Domains, Detection Signatures, and Resilience Measures are created by analysts in MISP, not precalculated here.

Authors

Authors and/or Contributors
H4CK32N4U75®

Gatwick UAS Incursions

Sustained UAS incursions over Gatwick Airport caused runway closures and disrupted operations across multiple days, illustrating low-altitude aerial threats to ground infrastructure without confirmed attribution.

Internal MISP references

UUID 6f4e2d9b-3c5a-4d7f-8b2c-000000000001 which can be used as unique global reference for Gatwick UAS Incursions in MISP communities and other software using the MISP galaxy

External references

• https://en.wikipedia.org/wiki/Gatwick_Airport_drone_incident - webarchive

Associated metadata

Metadata key	Value
an	['IOC (confirmed)', 'IOA', 'Threat', 'Resilience']
ast	['Hardware', 'Signals']
audit-pending	true
confidence	0
confidence-basis	AUDIT-PENDING: historical incident inherited from the pre-refined SCOR seed. Confidence score and basis to be assigned by the SCOR steward as part of the first progressive content release; until then this entry exists for UUID stability and analyst discoverability.
date	2018-12
exposure_domain	['Kinetic']
pce	['Aerial']
seg	['Low Altitude', 'Ground']
svc	['Control Plane']

Related clusters

To see the related clusters, click here.

Abqaiq-Khurais Strike

Coordinated UAS and cruise-missile strikes on Saudi Aramco's Abqaiq processing facility and Khurais field temporarily removed roughly half of Saudi crude output, demonstrating cross-domain aerial kinetic effects against critical ground infrastructure.

Internal MISP references

UUID 6f4e2d9b-3c5a-4d7f-8b2c-000000000002 which can be used as unique global reference for Abqaiq-Khurais Strike in MISP communities and other software using the MISP galaxy

External references

• https://en.wikipedia.org/wiki/Abqaiq%E2%80%93Khurais_attack - webarchive

Associated metadata

Metadata key	Value
an	['IOC (confirmed)', 'IOA', 'Threat', 'Resilience']
ast	['Hardware']
audit-pending	true
confidence	0
confidence-basis	AUDIT-PENDING: historical incident inherited from the pre-refined SCOR seed. Confidence score and basis to be assigned by the SCOR steward as part of the first progressive content release; until then this entry exists for UUID stability and analyst discoverability.
date	2019-09
exposure_domain	['Kinetic']
pce	['Aerial', 'Terrestrial']
seg	['Low Altitude', 'Ground']
svc	['Control Plane']

Related clusters

To see the related clusters, click here.

Tower 22 OWA Drone Strike

One-way attack drone struck Tower 22, a US logistics outpost on the Jordan-Syria border, killing three service members. Illustrates low-altitude OWA UAS as a confirmed kinetic threat to forward ground infrastructure.

Internal MISP references

UUID 6f4e2d9b-3c5a-4d7f-8b2c-000000000003 which can be used as unique global reference for Tower 22 OWA Drone Strike in MISP communities and other software using the MISP galaxy

External references

• https://en.wikipedia.org/wiki/Tower_22_drone_attack - webarchive

Associated metadata

Metadata key	Value
an	['IOC (confirmed)', 'IOA', 'Threat']
ast	['Hardware']
audit-pending	true
confidence	0
confidence-basis	AUDIT-PENDING: historical incident inherited from the pre-refined SCOR seed. Confidence score and basis to be assigned by the SCOR steward as part of the first progressive content release; until then this entry exists for UUID stability and analyst discoverability.
date	2024-01
exposure_domain	['Kinetic']
pce	['Aerial']
seg	['Low Altitude', 'Ground']
svc	['Control Plane']

Related clusters

To see the related clusters, click here.

Langley AFB UAS Incursions

Persistent UAS incursions reported over Langley AFB and other US installations. Tracked as a modeled indicator of attack pending attribution; supports hypothesis tracking for sustained low-altitude reconnaissance and harassment patterns.

Internal MISP references

UUID 6f4e2d9b-3c5a-4d7f-8b2c-000000000004 which can be used as unique global reference for Langley AFB UAS Incursions in MISP communities and other software using the MISP galaxy

External references

• https://www.airandspaceforces.com/langley-drone-incursions/ - webarchive

Associated metadata

Metadata key	Value
an	['IOC (modeled)', 'IOA', 'Threat', 'Detection']
ast	['Hardware', 'Signals']
audit-pending	true
confidence	0
confidence-basis	AUDIT-PENDING: historical incident inherited from the pre-refined SCOR seed. Confidence score and basis to be assigned by the SCOR steward as part of the first progressive content release; until then this entry exists for UUID stability and analyst discoverability.
date	2023-12
exposure_domain	['Kinetic']
pce	['Aerial']
seg	['Low Altitude']
svc	['Control Plane']

Related clusters

To see the related clusters, click here.

Matsu Subsea Cable Severance

Two subsea cables connecting the Matsu Islands to Taiwan were severed within days of each other, attributed to vessel anchor activity. Cut off broadband service to roughly 14,000 residents and exposed the Aquatic-link segment to deniable kinetic disruption.

Internal MISP references

UUID 6f4e2d9b-3c5a-4d7f-8b2c-000000000005 which can be used as unique global reference for Matsu Subsea Cable Severance in MISP communities and other software using the MISP galaxy

External references

• https://www.reuters.com/world/asia-pacific/taiwan-suspects-chinese-ships-cut-islands-internet-cables-2023-03-08/ - webarchive

Associated metadata

Metadata key	Value
an	['IOC (confirmed)', 'IOA', 'Threat', 'Resilience']
ast	['Hardware', 'Data']
audit-pending	true
confidence	0
confidence-basis	AUDIT-PENDING: historical incident inherited from the pre-refined SCOR seed. Confidence score and basis to be assigned by the SCOR steward as part of the first progressive content release; until then this entry exists for UUID stability and analyst discoverability.
date	2023-02
exposure_domain	['Kinetic']
pce	['Aquatic']
seg	['Link', 'Aquatic']
svc	['Data Plane', 'Hybrid']

Related clusters

To see the related clusters, click here.

Red Sea Cable Damage (AAE-1/EIG/Seacom)

Damage to AAE-1, EIG, Seacom, and TGN subsea cables in the Red Sea during regional escalation degraded internet capacity between Europe, the Middle East, and Asia. Confirmed kinetic exposure against the Aquatic-link segment with hybrid data-plane and signaling impact.

Internal MISP references

UUID 6f4e2d9b-3c5a-4d7f-8b2c-000000000006 which can be used as unique global reference for Red Sea Cable Damage (AAE-1/EIG/Seacom) in MISP communities and other software using the MISP galaxy

External references

• https://www.reuters.com/world/middle-east/four-undersea-cables-red-sea-have-been-cut-hgc-2024-03-04/ - webarchive

Associated metadata

Metadata key	Value
an	['IOC (confirmed)', 'IOA', 'Threat', 'Resilience']
ast	['Hardware', 'Data']
audit-pending	true
confidence	0
confidence-basis	AUDIT-PENDING: historical incident inherited from the pre-refined SCOR seed. Confidence score and basis to be assigned by the SCOR steward as part of the first progressive content release; until then this entry exists for UUID stability and analyst discoverability.
date	2024-02
exposure_domain	['Kinetic']
pce	['Aquatic']
seg	['Link', 'Aquatic']
svc	['Data Plane', 'Hybrid']

Related clusters

To see the related clusters, click here.

Baltic Cable Severance (C-Lion1 / BCS East-West)

BCS East-West and C-Lion1 subsea cables in the Baltic Sea were severed within hours of each other, coincident with the transit of the bulk carrier Yi Peng 3. Treated as a confirmed kinetic event with open attribution.

Internal MISP references

UUID 6f4e2d9b-3c5a-4d7f-8b2c-000000000007 which can be used as unique global reference for Baltic Cable Severance (C-Lion1 / BCS East-West) in MISP communities and other software using the MISP galaxy

External references

• https://www.reuters.com/world/europe/baltic-sea-cable-cut-was-act-sabotage-german-minister-says-2024-11-19/ - webarchive

Associated metadata

Metadata key	Value
an	['IOC (confirmed)', 'IOA', 'Threat', 'Resilience']
ast	['Hardware', 'Data']
audit-pending	true
confidence	0
confidence-basis	AUDIT-PENDING: historical incident inherited from the pre-refined SCOR seed. Confidence score and basis to be assigned by the SCOR steward as part of the first progressive content release; until then this entry exists for UUID stability and analyst discoverability.
date	2024-11
exposure_domain	['Kinetic']
pce	['Aquatic']
seg	['Link', 'Aquatic']
svc	['Data Plane', 'Hybrid']

Related clusters

To see the related clusters, click here.

Estlink 2 Cable Incident

The Estlink 2 power and communications cable between Finland and Estonia was damaged, with the tanker Eagle S subsequently boarded by Finnish authorities. Extends the Baltic pattern to mixed power-plus-data cable exposure on the Aquatic-link segment.

Internal MISP references

UUID 6f4e2d9b-3c5a-4d7f-8b2c-000000000008 which can be used as unique global reference for Estlink 2 Cable Incident in MISP communities and other software using the MISP galaxy

External references

• https://www.reuters.com/world/europe/finland-seizes-tanker-suspected-cutting-power-cable-2024-12-26/ - webarchive

Associated metadata

Metadata key	Value
an	['IOC (confirmed)', 'IOA', 'Threat', 'Resilience']
ast	['Hardware', 'Data']
audit-pending	true
confidence	0
confidence-basis	AUDIT-PENDING: historical incident inherited from the pre-refined SCOR seed. Confidence score and basis to be assigned by the SCOR steward as part of the first progressive content release; until then this entry exists for UUID stability and analyst discoverability.
date	2024-12
exposure_domain	['Kinetic']
pce	['Aquatic']
seg	['Link', 'Aquatic']
svc	['Data Plane', 'Hybrid']

Related clusters

To see the related clusters, click here.

Viasat KA-SAT AcidRain

AcidRain wiper deployed against Viasat KA-SAT modems on the morning of the 2022 invasion of Ukraine, with collateral loss of wind-turbine telemetry across Europe. Canonical confirmed cyber-warfare event against orbital ground infrastructure and link-segment user terminals.

Internal MISP references

UUID 6f4e2d9b-3c5a-4d7f-8b2c-000000000009 which can be used as unique global reference for Viasat KA-SAT AcidRain in MISP communities and other software using the MISP galaxy

External references

• https://www.viasat.com/about/newsroom/blog/ka-sat-network-cyber-attack-overview/ - webarchive
• https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/ - webarchive

Associated metadata

Metadata key	Value
an	['IOC (confirmed)', 'IOA', 'Attack Path', 'Threat', 'Detection', 'Resilience']
ast	['Software', 'Firmware', 'Data']
audit-pending	true
confidence	0
confidence-basis	AUDIT-PENDING: historical incident inherited from the pre-refined SCOR seed. Confidence score and basis to be assigned by the SCOR steward as part of the first progressive content release; until then this entry exists for UUID stability and analyst discoverability.
date	2022-02
exposure_domain	['Cyber Warfare']
pce	['Orbital', 'Terrestrial']
seg	['Ground', 'Link', 'User']
svc	['Control Plane', 'Data Plane']

Related clusters

To see the related clusters, click here.

GNSS Spoofing and Jamming (Black Sea / Hormuz)

Persistent GNSS spoofing and jamming observed in the Black Sea, Eastern Mediterranean, and Strait of Hormuz, affecting maritime, aviation, and ground-based PNT-dependent systems. Long-running confirmed electronic-warfare exposure on the link-and-signals plane.

Internal MISP references

UUID 6f4e2d9b-3c5a-4d7f-8b2c-00000000000a which can be used as unique global reference for GNSS Spoofing and Jamming (Black Sea / Hormuz) in MISP communities and other software using the MISP galaxy

External references

• https://gpspatron.com/gps-spoofing-incidents-overview/ - webarchive

Associated metadata

Metadata key	Value
an	['IOC (confirmed)', 'IOA', 'Threat', 'Detection', 'Resilience']
ast	['Signals', 'Data']
audit-pending	true
confidence	0
confidence-basis	AUDIT-PENDING: historical incident inherited from the pre-refined SCOR seed. Confidence score and basis to be assigned by the SCOR steward as part of the first progressive content release; until then this entry exists for UUID stability and analyst discoverability.
date	ongoing
exposure_domain	['Electronic Warfare (EW)']
pce	['Orbital', 'Terrestrial', 'Aquatic']
seg	['Link', 'User']
svc	['Data Plane']

Related clusters

To see the related clusters, click here.

Cosmos 1408 ASAT Debris Event

Russian direct-ascent anti-satellite test destroyed Cosmos 1408, generating thousands of trackable debris fragments in low Earth orbit. Dual-classified as a confirmed kinetic event and an environmental hazard owing to the persistent debris cloud.

Internal MISP references

UUID 6f4e2d9b-3c5a-4d7f-8b2c-00000000000b which can be used as unique global reference for Cosmos 1408 ASAT Debris Event in MISP communities and other software using the MISP galaxy

External references

• https://en.wikipedia.org/wiki/2021_Russian_anti-satellite_weapon_test - webarchive

Associated metadata

Metadata key	Value
an	['IOC (confirmed)', 'IOA', 'Threat', 'Detection', 'Resilience']
ast	['Hardware']
audit-pending	true
confidence	0
confidence-basis	AUDIT-PENDING: historical incident inherited from the pre-refined SCOR seed. Confidence score and basis to be assigned by the SCOR steward as part of the first progressive content release; until then this entry exists for UUID stability and analyst discoverability.
date	2021-11
exposure_domain	['Kinetic', 'Other (environmental)']
pce	['Orbital']
seg	['Space']
svc	['Control Plane', 'Data Plane']

Related clusters

To see the related clusters, click here.

INC-0001-DEMODISCLOSURE-GROUND-CRED-ABUSE

Demonstration incident: ground segment credential abuse. Illustrative, unclassified worked example of a ground-segment incident in which compromised operator credentials were used to issue out-of-baseline commands on the platform control plane.

Internal MISP references

UUID 3f69dedc-ccc0-5ddf-9179-451ae8b92944 which can be used as unique global reference for INC-0001-DEMODISCLOSURE-GROUND-CRED-ABUSE in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
confidence	10
confidence-basis	Confirmed by public report from the affected organization (demonstration value; replace with the real disclosure reference at publication).
display_name	Demonstration incident: ground segment credential abuse

Related clusters

To see the related clusters, click here.

INC-0002-DEMODISCLOSURE-PNT-SPOOFING

Demonstration incident: user-segment PNT spoofing event. Illustrative, unclassified worked example in which user-segment receivers reported anomalous position fixes consistent with regional PNT spoofing activity.

Internal MISP references

UUID 59011f40-4bcb-5284-834a-81ce772d9fb2 which can be used as unique global reference for INC-0002-DEMODISCLOSURE-PNT-SPOOFING in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
confidence	5
confidence-basis	Reported by a second or third party with no formal validation from the affected organization; not disclosed in a contested manner and no pending complaints against the report.
display_name	Demonstration incident: user-segment PNT spoofing event

Related clusters

To see the related clusters, click here.

INC-0003-DEMODISCLOSURE-SUPPLY-CHAIN

Demonstration incident: tampered supply-chain software. Illustrative, unclassified worked example in which a third-party software artifact destined for the platform failed integrity verification upon ingest.

Internal MISP references

UUID e6142589-8930-5455-aa44-b1e2f1b1090b which can be used as unique global reference for INC-0003-DEMODISCLOSURE-SUPPLY-CHAIN in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
confidence	7
confidence-basis	Partial confirmation: affected organization acknowledged an anomaly but has not published a full report; corroborated by an independent integrity-verification log.
display_name	Demonstration incident: tampered supply-chain software

Related clusters

To see the related clusters, click here.

INC-0004-DEMODISCLOSURE-UPLINK-JAM

Demonstration incident: sustained uplink jamming. Illustrative, unclassified worked example in which sustained jamming on the link segment degraded uplink availability during a contact window.

Internal MISP references

UUID 516b8422-7547-580c-b4fc-3ced81db36e3 which can be used as unique global reference for INC-0004-DEMODISCLOSURE-UPLINK-JAM in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
confidence	5
confidence-basis	Reported by a second or third party with no formal validation from the affected organization; not contested and no pending complaints.
display_name	Demonstration incident: sustained uplink jamming

Related clusters

To see the related clusters, click here.