95% of the time it will be a Network Interface Chip (NIC) or a Drive Controller which is re-soldered and changed over. AND it's sole task will be to intercept targeted text strings (i.e. text with certain keywords) or packets having specified source or destination IP addresses and then compress/encrypt that data into LEGITIMATE data streams such as image files, OS data files, web-based temp files, etc. which tend to be served to outside locations within network data packets which can be intercepted at the local or regional telecom level.
Unfortunately, the more insidious intercepts are re-flashed GPU and NIC BIOS'es that have interactive user text-input, screenshot output and mouse-HID-event re-directs to privileged memory locations and/or previously compromised kernel mode drivers which will re-package/compress/encrypt that intercepted data into legitimate traffic for outside intercept. It's basically impossible to change a BIOS that can PREVENT user-flashes and/or show FAKE update credentials to an operating system (i.e. the "Fake" bios prevents a legitimate update and mere changes its version numbers and presents a fake digital signature to low-level services) which will never know incoming data is being intercepted.
I would have to douse the whole chipset in liquid helium so I can examine under specialty lab conditions using chip layer-by-layer examination the values of local data and cpu registers and other flash memory locations for evidence of "fake" BIOS code.
Biting the hand that feeds IT
