If you dare to follow link to CISA report ("fact shit", indeed) and find "Technical details of backdor" and have minimum knowledge, then things will look pretty different.

They have a screenshot of decompiled code. But for completely unknown reasons they redacted the only thing that could be kind of reason for their statememnts.

What the code on screenshot do:

First it tries to mount some NFS network disk share with redacted address to device /mnt directory. Without any login/password, meanwhile. Then, if share is mounted and if "monitor" directory exist on mounted share, it copies program and config to device filesystem.

Basically it is just simple way to debug firmware on real device without reflasing it constantly, piece of debug code that was not removed or properly shut down in firmware release. Bad decision, nothing more.

Also, NFS server that exposed to internet - is an awful idea in general. NFS protocol is very old thing, it works like shit even with minimum delays and fundamentally unsecure. It could be normally and safely used only in local network, behind the firewall when you completely control both clients and server. If somebody exposed his NFS server to the whole internet - he is an idiot, and probably already was hacked multiple times by numerous bots that run everywhere, including your browser if you didn't turn off all that "serviceworkers" and "websockets".

Funny that CISA hide the address, because it could be some local network thing like 192.168.0.1 or 10.10.10.10. It is highly probable, taking in account NFS. Another funny thing is that patient data is printed via LPD then. Yes, of course there is an undeground facility somewhere in China, where Chineese spies have thousands of printers that print patients data day and night on endless rolls of paper.

I saw much worse things many times, and still don't really think that APC want to stole data about voltages in power grid and UPS battery charge levels around the world or Cisco(Linksys) want to collect all possible WiFi hotspots names. :)

Regarding real spying, better take a look at modern browsers, proprietay OSes and all that cloud shit everybody gladly use to store really private data. That's the things that purposedly created to steal private data and spy on users.