At the time, a colleague of mine (we were both working for the German IT news magazine Golem) found a web page by a government-associated university that was offline with a message that it's been taken down due to a security issue.
Putting a few hints together, we figured out that Ilias was hosted therer, and that this was how the attack on the government initially started.
We weren't able to figure out which vulnerability was used, but had some ideas what it might've been. (Older versions had a default password for the admin account.)
One wonders: there's an Open Source software that's widely used by universities, even by government-associated universities. It's been the cause of a high-profile attack on a government before. One wonders why that doesn't trigger sufficient funding for regular, high-quality security audits of that software.
Article from 2018: https://www.golem.de/news/government-hack-hack-on-german-gov...