The fact that the fake nameservers were visible on iedr.ie means that it's likely the .ie TLD, or someone with the keys to google.ie (e.g. eMarkmonitor Inc) were the real cause..

The IEDR works on a fax based authorisation system for a lot of procedures which is low hanging fruit for an attacker. Any other type of compromise might be more interesting so curious if they'll release how this happened.

Actually, you can just log directly into the IEDR site to make these changes.

I've done this many times..

Just speculating on an attack vector that's pretty low-tech and open to abuse.