If you had a valid, uncompromised version of firmware, and were able to substitute it, and look at the streams, you could compare one stream to the other, uncompromised vs suspect. At some point, to do its work, the suspect firmware has to cough something different, be it an altered MBR, or something else to allow it to do its job. Otherwise, its sits in firmware forever doing nothing. There needs to be a routine, an exercise, comparing known vs unknown to assess what it does to a stream, or to infect/root its host.
I get the feeling that the NSA attack is likely focused on a fairly select few, otherwise the C&C traffic would be heavy enough to otherwise detect. A rooted machine may stay asleep for a long time, perhaps forever, but at some point, it has to wake up. Change your IP address to a CIDR block in Iraq and see if your router suddenly lights up.
Summary: to do its work, it has to either talk to something or infect/root the kernel or something the kernel uses a lot, otherwise, it's useless except as a local attack. It has to assert itself, and using known vs unknown analysis is perhaps the only real way of making it show its footprints in the snow.