It looks to me like a server intrusion where they modified static files kept on a webserver (like apache or nginx). But it also seems like we don't have enough evidence to know for sure. (Edit: or they might have been static files kept on a CMS.)