Re: Can someone clarify something?
In adddition to @diodesign's comments, when they say "SPI flash storage soldered onto the MB", they mean the flashable UEFI firmware that can be updated via a user-initiated flashing process, but it happens to be in embedded NVRAM on the motherboard rather than addon components such as HDD, SSD, etc. Therefore injecting this hacked firmware can be done same as updating vendor downloaded firmware from the vendors' website. That is, a bootable USB thumbdrive with the firmware, minimal O/S and the flashing software, or even with something like ASUS's 'flashback' functionality that can flash from a powered off (but plugged into power) PC with just the firmware on the USB stick, no booting to even a minimal O/S required.
So it could have been done in the factory, in transit, someone with a couple minutes physical access and a USB stick after delivery, or even remotely since these days firmware can be updated from a live, running computers multi-user O/S such as windows or Linux etc.