I don't really see from this explanation what prevents a new wave of infected machines from contacting the Tier 2 layer. It seems like they just cut off Tier 1 access of existing infections. Yes, they took over the cloud account, but I don't see what's really stopping the bad actors from starting over (with lessons learned probably as to what got them caught the first time).