The SOA record is almost irrelevant in this case, unless you are seeing some trickery where they set high TTLs or something to keep the "hack" around longer after it has been corrected.
There is only one root (which is kinda what makes it a root) - and in this case the root servers are doing their job just fine. DNS is hardly even involved. As far as I can tell this was simply a compromise of the web UI that allows for the management of domains under the .ps ccTLD. Probably just another sloppy front end developer.