the point wasnt whether or not they could or did. the point was that it could be inferred based on what sql client the malware client was using without ever touching the sever.
Read the document. They have the server software. They have configuration files for the server, they know how it processes communication, they know how it generates UUID's. They have the server software.
If it does, that's an easy claim to prove.