I have the entirely opposite opinion - once you have managed to attack the supply chain and covertly deploy, say, some hardware can write a few hundred arbitrary bytes to the firmware (which was described as the attack vector by Bloomberg), then that's essentially game over. Perhaps designing the hardware hack is easy, but getting the malicious chip on the devices shipping to your targets and keeping it a secret is not trivial.
"communicate with external command&control and know how to read interesting data or send interesting effectful commands to the mainboard." is hard only in the sense that it takes some effort, however, this requires pretty much the same capabilities and skills as every engineered malware we've encountered, so you can assume that every serious adversary can do it, not only nation state adversaries but many serious commercial pentesting companies and cybercrime teams have demonstrated such capabilities.
I can imagine an attacker that can make the "hard" software required but doesn't have the capability to insert that modified hardware within a supply chain - as in, it's not even assumption, for pretty much every intelligence agency it's known that they can easily do software which "would need to communicate with external command&control and know how to read interesting data or send interesting effectful commands to the mainboard" - even just counting things that have failed (because we've detected and analyzed and attributed them), there's clear evidence that they can do it because they've done it many times.
I literally can't imagine an agency that can pull off the supply chain attack but doesn't have the capability to write software to control the board and exfiltrate data.
I just can't imagine anyone exfiltrating the data on a corporate level at any scale without raising alarms. It's just not realistic, once it leaves the board it's pretty easy to see over a network.
Now specific targeted attacks is more believable, at that point though I'd think a one off MITM hardware swap would be more likely.
"communicate with external command&control and know how to read interesting data or send interesting effectful commands to the mainboard." is hard only in the sense that it takes some effort, however, this requires pretty much the same capabilities and skills as every engineered malware we've encountered, so you can assume that every serious adversary can do it, not only nation state adversaries but many serious commercial pentesting companies and cybercrime teams have demonstrated such capabilities.
I can imagine an attacker that can make the "hard" software required but doesn't have the capability to insert that modified hardware within a supply chain - as in, it's not even assumption, for pretty much every intelligence agency it's known that they can easily do software which "would need to communicate with external command&control and know how to read interesting data or send interesting effectful commands to the mainboard" - even just counting things that have failed (because we've detected and analyzed and attributed them), there's clear evidence that they can do it because they've done it many times.
I literally can't imagine an agency that can pull off the supply chain attack but doesn't have the capability to write software to control the board and exfiltrate data.