Or else he simply picked up the malware simply by borrowing a usb key from someone else who'd been infected. I bet the majority of security researchers are only a couple of hops on their network of acquaintances from people who are pretty much guaranteed to be targets of <pick your state security agency of choice> and they would certainly have the resources to develop something like this if they chose to.
We know that Stuxnet spread beyond it's intended target - that's how it was discovered by the wider security community in the first place. Malware this pernicious could spread fairly stealthily through a large number of people without being noticed I'd imagine.
(If it really is using high frequency audio to leak data then that would be strong evidence that it was originally designed to target some group using air gapped computer networks to protect their high grade information. If your top secret & merely secret grade computers are laptops in the same room & they can communicate over a back channel like this then suddenly your air gapped computer network isn't cut off from the internet any more!)
We know that Stuxnet spread beyond it's intended target - that's how it was discovered by the wider security community in the first place. Malware this pernicious could spread fairly stealthily through a large number of people without being noticed I'd imagine.
(If it really is using high frequency audio to leak data then that would be strong evidence that it was originally designed to target some group using air gapped computer networks to protect their high grade information. If your top secret & merely secret grade computers are laptops in the same room & they can communicate over a back channel like this then suddenly your air gapped computer network isn't cut off from the internet any more!)