It is technically possible, yes, but you need a really good security team as well as security policies that everyone is following. At the very least with a good security team you may be able to notice the malicious activity shortly after you've been breached, even when it's too difficult to prevent the breach from happening at all.

This is infeasible for a lot of organizations, unfortunately. And it also becomes much more difficult if your adversary has full control of your DNS servers or can perform a man-in-the-middle due to their backbone Internet access. Something like an Evilgrade (https://github.com/infobyte/evilgrade) attack conducted via an ISP MitM is very hard to detect and prevent, and I suspect NSA uses Evilgrade-like tactics frequently. And if you live in the US it's game over by default, since they can legally send people onsite to compromise you.