TLDR plant malware on the nodes.
ISPs can execute a man-in-the-middle attack and modify the Bitcoin Core software that nodes download. The CIA can easily force ISPs globally to do this in silence. They would then control all the nodes and can rewrite the chain, pulling off a 51% attack.
Another way is to infiltrate the ASIC manufacturers and plant hardware-level malware. 5-10 years later, the hardware is used by most nodes.
Certainly the CIA had a brainstorming session to come up with ideas like these, and they most certainly have a few which are ready to deploy.