CIA agents left usb sticks on the ground in car parks near nuclear facilities. All it took was one curious researcher to pick one up and plug it into their machine.
That was long thought to be the attack vector, but new information recently became public: Dutch Engineer Used Water Pump to Get Billion-Dollar Stuxnet Malware Into Iranian Nuclear Facility