That, and the chips were what the DoD found to have been compromised. No software needed.
Right -- that was part of what I was alluding to. Yes, we have firmware embeds to deal with as well as whatever might be in PROM, plus circuitry is so miniaturized now you could whole subsystems at work that could pass unnoticed.
Modern electronics afford way too many means of hiding unwanted processes to even consider buying anything from a potential adversary.
"He who buys his weapons from an enemy is a fool." as the saying goes. A fool, or a collaborator.