The 'clean source' or 'supply chain' was the amongst the systems compromised. The cross-checks you list above would reveal nothing but normal results as the trust chain was intact. This hack was amazing - at source level, at root trust level; code that remained dormant for 12 to 14 days before taking first steps, code that was aware if it was sandboxed or live, code that was imbedded in otherwise normal external traffic, code seemingly going to normal external addresses, code that paused if actively searched for, code that hid in plain-sight http rather than HTTPS, code that supported normal functionality. This was not your farther's hack; this was mind-bogglingly good. This was unlike anything seen before.