How did the crims create the sub-domain?
"the attackers compromised an unnamed web server, created their own subdomain for the server's website"
For them to create a sub-domain they would need to also compromise the authoritative name server, unless the DNS was hosted on that same web server that they rooted - which is a bad idea anyway. The DNS should be separate and independent.