Russian researchers expose breakthrough U.S. spyin...

[grey-area]

They do physically intercept some hardware, so that's one vector:

http://www.theguardian.com/books/2014/may/12/glenn-greenwald...

Alternatively could they use software exploits in an OS to execute arbitrary code and rewrite the firmware?

[mschuster91]

Why use software exploits? Just use an ordinary privilege escalation and act like the firmware upgrade tool of the manufacturer.