Here is short summary taken from the linked Reddit post:
* root cause was a piggy-backed mail conversation where a legitimate mail correspondence/dialogue was continued by a hacker who sent over a macrofied .doc; the recipient opened it because it looked legitimate and would you please "Enable Editing"
* that system infected/contacted various other systems in the network; those systems were cleaned superficially
* two days later the firewall noticed outgoing traffic, so the infections were still ongoing
* suspicious activity was discovered on the domain controllers
* IT decided to shut down the internet connectivity
* the whole domain is going to be rebuilt
* although there was a policy in place to limit local admins, some systems/accounts were NOT locked down, for example some POS "presenter" software that needed local admin
* as to why the domain controllers were compromised: it is possible that the admins logged into infected systems with a domain admin to clean those systems
This whole thing really is special, because there are the usual stereotypes in play:
* macros weren't disabled company-wide or at least restricted
* local admins are a thing
* software that NEEDs local admin is still a thing
* admins might (!) have used domain admin credentials to enter suspicous systems
* root cause was a piggy-backed mail conversation where a legitimate mail correspondence/dialogue was continued by a hacker who sent over a macrofied .doc; the recipient opened it because it looked legitimate and would you please "Enable Editing"
* that system infected/contacted various other systems in the network; those systems were cleaned superficially
* two days later the firewall noticed outgoing traffic, so the infections were still ongoing
* suspicious activity was discovered on the domain controllers
* IT decided to shut down the internet connectivity
* the whole domain is going to be rebuilt
* although there was a policy in place to limit local admins, some systems/accounts were NOT locked down, for example some POS "presenter" software that needed local admin
* as to why the domain controllers were compromised: it is possible that the admins logged into infected systems with a domain admin to clean those systems
This whole thing really is special, because there are the usual stereotypes in play:
* macros weren't disabled company-wide or at least restricted
* local admins are a thing
* software that NEEDs local admin is still a thing
* admins might (!) have used domain admin credentials to enter suspicous systems
...and it happened to Heise, of all places.