The statement says they were authorized to send commands to vulnerable servers through the exploited services/webshells which removed said webshells from the system.