The reality probably isn't far off... I know in the past the "breaches of critical infrastructure" breathlessly reported by the media have actually just been wide-open SNMPv2 services using the default community string. I'm sure something similar happened here. Turns out you can just connect to port 161, press "power off," and be reported in the news as an "advanced persistent threat actor"

Is it that, or is it more likely they paid some anti-Maduro electric company worker to walk into HQ and shove a dongle in the back of a PC somewhere on their internal network, ala Stuxnet?

I work in electricity, it wouldn't be one, but yeah essentially it's probably an unpatched RDP/vnc/remote desktop exploit. Or the password is contraseña123