Without knowing the specifics. I think one of the issues is that when NSA hooks itself into say a network router, it leaves trace behind (ie. an altered configuration) that can be spotted by the network engineers that maintain that equipment.
I would have guessed they would be a bit more sophisticated than that, perhaps flashing a new "evil" firmware that would look to be perfectly normal and unchanged to those without the correct key.
