The kind of stuff you heard about with Russian embassies and the CIA mixing bugs into the mortar? They're doing that kind of thing, apparently broad-spectrum, to high-value targets, semi-high-value targets and those who might be adjacent to high-value targets.
And it's not just one or two terrifying things that have been used in a few cases. It's tens of programs, and devices that are apparently routinely shipped in the tens or hundreds of units. It's postal interception, broad postal interception to infect 'new' computers, total compromise of essentially all smartphones, infection of nearly all computing peripherals...
And this is all separate from things like working with RSA to compromise data security standards -- that is, making us all less secure so that they can break our passwords if they need to.