It doesn't require that the target system be connected to the web. All that is necessary is a stupid contractor to connect an infected USB drive while installing an update to the software. I have seen it happen, and it's not pretty when an entire group of machines across a large, closed national network is affected.