There are probably a lot of 0days that are judiciously used to exploit the browsers of people they're interested in, similar to the one used against the TBB a few months ago. This exploit probably just quietly modifies the UA string, appending something like a GUID. The victim then leaves a nice little Hansel & Gretel trail of breadcrumbs that can be picked up by GCHQ black box intercepts at POPs.