The "chip that reconfigured the hardware" is already built in; it's the BMC.
All the Chinese government has to do is go to the factory and tell them "flash the BMC firmware with this image" where the image is subverted (but operationally indistinguishable) BMC firmware. It doesn't get much more straight forward than that.
There are attacks where flashing a malicious firmware on to the device prevents real firmware flashing (just updates version numbers, re-infects the flashing payload on write, etc). However, those attacks can be mitigated by physically connecting to the flash module and writing to the device directly through SPI. If you've got a chip between the BMC and the flash memory as the report suggests, it can re-infect the memory even when you're done. You could even read the contents of the flash memory directly and find no evidence of the attacker, as the attack code might never actually write to the memory and may only load when the BMC boots and attempts to read from the flash memory.
It is straight forward to compromise the BMC, it isn't straight forward to hide a backdoor in the BMC in front of some of the best security researchers in the world. Especially with such attack being well known and seemingly trivial to check for.
All the Chinese government has to do is go to the factory and tell them "flash the BMC firmware with this image" where the image is subverted (but operationally indistinguishable) BMC firmware. It doesn't get much more straight forward than that.