That whole environment is an end-to-end trust-type model, so all you have to find is the weakest chain in the link. In this case, it was unfortunate that the administrative worker had a password that the hacker community was able to guess to get into that system.
On May 29th, 2019. See this statement in context.