Or targeted not really at doing anything but at researching the nature of supply chain vulnerabilities themselves.

This doesn't look like a research.

This looks like state sponsored attack. Imagine having a backdoor that you can just go to any Linux server and with your key you can make it execute any code you wish without any audit trail. And no one without the key can do it, so even if your citizens use such vulnerable system other states won't be able to use your backdoor.

Spending two years actually maintaining an open source project that you will later backdoor is a very expensive way to perform such research.