If it was an RNG attack - then it could be used on their cold storage as well as on their hot wallet. If the attacker can predict the private keys - then the fact that these keys are stored on something detached from the internet does not make any difference.