Your comments on the other thread in BATL
, Josh, were precisely how I was looking at this. To my knowledge, the only way to modify root files on a Linux installation would be 1) be root or 2) have access to the physical machine (not remote access) to be able to use an externally loaded OS of some sort to mount and manipulate the files that way.
Also, I had not read deeply enough to see the part you pointed out regarding it being a specifically targeted attack back in 2015. Chances are if the hackers were specifically targeting someone/some corporation, etc., they may have already had backdoor access somehow; maybe even physical access (a worker, delivery person, etc.).
Anyway, thanks to Corrine for posting this. It's been interesting.