Persistence

After getting the initial access and the capability to execute commands, the adversary will try to maintain their foothold. Persistence includes techniques that can be used to maintain (undisclosed) access to the resource in time, with the aim to act later, where/as needed for adversary purposes. Techniques can include manipulation of the security components to permit a new access, or in pre-inserted or configured backdoors to permit a side access to the system.

ID: TA0003
Created: 25 August 2022
Last Modified: 14 April 2023

Techniques

Techniques: 4
ID Name Description
T2014 Backdoor Installation An attacker can interfere with the hardware or the software, integrating or modifying the existing software, hardware configuration or the transponder configuration to permit himself a future access to the resource.
.001 Hardcoded credentials and/or keys The attacker can hardcode credentials during the supply chain phase with custom, to have a secure access to the resource if the component is integrated in the system.
.002 Integration of custom malicious hardware Replacement of a product in the supply chain with a custom or counterfeit part to damage the system or to use it as a future backdoor.
.003 OBSW modification An attacker can modify the OBSW to permit a future access on the resource with a software backdoor.
.004 Transponder reconfiguration An attacker can change the transponder configuration to permit a future radio access on the resource.
.005 Payload modification An attacker can also modify the payload hardware, software or configuration to create a future access on the payload itself, either to target it or to use it against the whole resource.
T2013 Key Management Infrastructure Manipulation Key infrastructures provide the technical means for managing the key life cycles as well as for the distribution of keys using security protocols or other means. If an attacker manipulates them, he can gain and maintain an authorized access to the protected resource. Encryption keys used to encrypt TM/TC can be replaced in order to gain permanent access to other functionalities, or to temporarily interrupt the owner's control.
.001 Replace / generate new Session Keys Adversaries can replace or generate encryption keys used to encrypt TM/TC in order to gain permanent access to other functionalities.
.002 Replace / generate new Master Keys Adversaries can replace the master key used to encrypt TM/TC in order to gain permanent access to other functionalities, or interrupt the owner's control by generating new ones.
T1542 Pre-OS Boot "Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system." Adversaries can obtain it modifying or replacing components before the launch or updating them later if an update capability is implemented. Detection is very difficult, because defenses are usually working at higher levels.
.001 System Firmware Exploitation Persistence at a pre-OS level can be gained modifying the firmware in a resource.System firmware is quite static, and it doesn’t usually provide detections capabilities. A firmware level manipulation can remain unnoticed until next phases of the attack.
T2009 Valid Credentials Adversaries may obtain and abuse credentials to gain Initial Access or Persistence in a space resource. Compromised credentials may be used to bypass access controls placed on systems within the network and to decrypt communication, to send authenticate messages and to take control of the spacecraft. Gained credentials may even be used for persistent access to the resource.
.001 Steal cryptographic keys Adversaries may obtain and abuse master or session keys to gain Initial Access or Persistence. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to communication channels.
.002 Forge Digital Certificates If an attacker gains control of the credential-management system and issues credentials, he can access the system and maintain a persistent control on it. There is a need to invalidate existing credentials and reissue all credentials. CCSDS recommends two forms of credentials: X.509 certificates and protected simple authentication. The authenticity of an X.509 certificate is dependent upon the digital signature of the CA attesting to the credential. If the digital signature algorithm used by the CA is of insufficient cryptographic strength, a credential may be spoofed.
.003 Brute force attack against TC channel or mission channel An attacker can use brute force to gain access to a TC channel, to force encryption or to guess the valid commands.