It's most likely a combination of the following...
Gaining access to unrelated systems in order to know about the social graph of the target.
You then use that information to pose as a trusted partner, e.g. the vendor of the software, and send "updates" or office documents with which you can infiltrate the system.
This can be done via e-mail or, depending on the typical way software updates are distributed, postal mail. If your vendor sends you software updates via mail, sending a fake update which looks the same as a real one won't raise any suspicion and it will be installed.
BTW probably _all_ secret services do that kind of thing.
Biting the hand that feeds IT
