So am I understanding right that an actual person would have to bring a USB to the computer ? To do this, the malware uses specially prepared USB storage drives that have a virtual file system that isn't viewable by the Windows operating system.
Yes, but not necessarily the attacker themselves. USB drives are a great delivery mechanism because they get handed out so many places, so all you have to do is hand them out in the right area and bank on some number of people being clueless enough to plug them into their work box.
But it is even more nefarious than that. Your institution (the NSA, for example) will have "special" USB sticks that you are authorized to use because they are "protected". The Sauron kit even works on these protected USB sticks! It knows what the protection software is and how it works, and knows how to work around it. So it doesn't even take a dumb user picking up a random USB and sticking it in their computer. All it needs is for this USB to have been used on another computer that is (basically invisibly) infected with Sauron. That is some Grade A nastiness, right there, my friends.
So I guess that means, since they have the protection software, that the NSA wasn't worried about using these protected USB's on specific devices only and so that's how it got on ? Like they can plug those USB's in to any computer ? Or maybe could is a better word.
Well, security has many levels. One of the most reliable methods to secure a computer is to "air gap" it, which means that it connects to no network, no wireless, no other computer. The only way to move files onto it is with a USB. So if you want to hack into an air-gapped computer, you need to compromise a USB that has been approved for use in that computer. And that is, effectively, what this hack circumvented. Incidentally, they can now hack air-gapped computers by getting close enough to it with a sensitive antenna, and listening to the electrical pulses put out by the individual keys on the keyboard! It's a bit like electronic semaphore. But, it has been proven to work reliably.
You say "now", but the NATO selection process for TEMPEST-secure devices comes from 1981. Way before that, there was laser eavesdropping and the KGB bugging the American embassy through "electromagnetic flooding", whatever that is.Incidentally, they can now hack air-gapped computers by getting close enough to it with a sensitive antenna