Yes, remote link injection is done through backdoors. As the linked article indicates, locating these is very difficult. If you miss one in your cleanup efforts, they'll be back, possibly in seconds there will be links all over the place again.
The only sure fire cleanup method is to wipe everything and restore from a known clean backup. It's certainly possible for immoral web consultants to install backdoors, then use them for retribution if they are not paid for their work. It is far more likely the hackers got in using a security vulnerability in the site. It could be a plugin, a weak password, or even a vulnerability elsewhere on the site unrelated to WP.
For a more complete discussion of this issue, read FAQ My site was hacked and Hardening WordPress.