am I missing something?
"A Hyper-V attack is certainly a plausible explanation for the incident, as CVE-2021-28476 can crash hosts"
Unless Pakistan's Federal Board of Revenue allows citizens to spin up VM's on government servers, CVE-2021-28476 probably ain't the problem. To crash a host you have to compromise a guest... and the guest has to be Ubuntu Focal. Plus it's kind of tough to steal data from a blue screened server.