Persistence

Threat actor is trying to maintain their foothold/access to command/execute code on the spacecraft.

Informational References

https://attack.mitre.org/tactics/TA0003/
ID: ST0005

Techniques

ID Name Description
PER-0001 Memory Compromise Threat actors may manipulate memory (boot, RAM, etc.) in order for their malicious code and/or commands to remain on the victim SV. The SV may have mechanisms that allow for the automatic running of programs on system reboot, entering or returning to/from safe mode, or during specific events. Threat actors may target these specific memory locations in order to store their malicious code or file, ensuring that the attack remains on the system even after a reset.
PER-0002 Backdoor Threat actors may find and target various backdoors, or inject their own, within the victim SV in the hopes of maintaining their attack.
.01 Hardware Threat actors may find and target various hardware backdoors within the victim SV in the hopes of maintaining their attack. Once in orbit, mitigating the risk of various hardware backdoors becomes increasingly difficult for ground controllers. By targeting these specific vulnerabilities, threat actors are more likely to remain persistent on the victim SV and perpetuate further attacks.
.02 Software Threat actors may inject code to create their own backdoor to establish persistent access to the SV. This may be done through modification of code throughout the software supply chain or through modification of the software-defined radio configuration (if applicable).
PER-0003 Ground System Presence Threat actors may compromise target owned ground systems that can be used for persistent access to the SV or to perpetuate other techniques. These ground systems have already been configured for communications to the victim SV. By compromising this infrastructure, threat actors can stage, launch, and execute persistently.
PER-0004 Replace Cryptographic Keys Threat actors may attempt to fully replace the cryptographic keys on the space vehicle which could lockout the mission operators and enable the threat actor's communication channel. Once the encryption key is changed on the space vehicle, the SV is rendered inoperable from the operators perspective as they have lost commanding access. Threat actors may exploit weaknesses in the key management strategy. For example, the threat actor may exploit the over-the-air rekeying procedures to inject their own cryptographic keys.