I seem to remember Snowden docs indicating that the NSA had HDD firmware hacks in their toolkit, and that such hacks are an example of what they mean by "advanced persistent threat".
Indeed, additionally I recall that the HP server's Iran used had some similar security issue on the RAID(?) controllers. But I hate to write stuff on HN without a source :-)