If this had happened, the attacker would have likely stolen the servers TLS certificate and keys

Whereas this attack generated new keys (and was detected!), suggesting the attacker didn't compromise the server itself.