tlds: they used the side-channel leakage together with rowhammer to flip bits in ssh public keys in memory from authorized_keys to convert them so they could factor them, generate a new private key and eventually log in.
also, sources.list and the system gpg-keychain to point the system to a malicious repo and install a backdoored /bin/ls