Many of the more technically advanced governments create and/or buy malware which is able to persist in places other than just your hard drive and BIOS.
As it seems you're new to the idea, look into APTs for a general understanding of how persistent threats can be useful when they're embedded into a target:
The mechanisms for persisting outside of HDD/SSD data areas and the BIOS can vary. There are a lot of support chips in computers and peripherals. For example, Intels AMT (supposed to secure PCs) has been shown by researchers to be a useful place to put malware.
As it seems you're new to the idea, look into APTs for a general understanding of how persistent threats can be useful when they're embedded into a target:
https://en.wikipedia.org/wiki/Advanced_persistent_threat
The mechanisms for persisting outside of HDD/SSD data areas and the BIOS can vary. There are a lot of support chips in computers and peripherals. For example, Intels AMT (supposed to secure PCs) has been shown by researchers to be a useful place to put malware.
https://en.wikipedia.org/wiki/Intel_Active_Management_Techno...
I'm not personally sure if there's active malware using that vector yet, it's just an example. But it also wouldn't be even slightly surprising.
Does that help? :)