It's also possible that the malware was actually dropped from a *nix or Windows system that wasn't itself infected, but where the user wanted to drag Dell through the muck. Doesn't need to be any of these Advanced Persistent Threats you keep reading about, just a terminated employee on his last day. I doubt that embedded hardware is connected to the internet while it's being assembled, so it seems unlikely that they got a chance infection - someone had to subvert their production process. That's most likely to be an insider.