Even if they don't have physical access to factories I'm sure there are cases where they have (spurious) network access to factories and can replace a firmware blob that goes into routers or other equipment with a slightly different one with their tweaks without anyone noticing without looking really, really hard.
Tamper evident only provides evidence of a home user that hasn't spent time learning how to evade them. You don't need the means to obtain or produce replica seals, but the NSA also has the money to do exactly that. And that assumes by 'seal' the author even meant to imply something as strong as tamper evident.
The article says the "NSA routinely receives – or intercepts – routers, servers and other computer network devices being exported from the US before they are delivered to the international customers." The word"receives" suggests that the manufacturer knowingly sends the hardware to the NSA.
