If Palo Alto aren't willing to implement CT, which I'm pretty sure they aren't because they're a legitimate company whose business isn't driven by people who abuse globally-valid certificates, then (regardless of whether SCTs can be forged in theory) that alone would have prevented the attack.
To add on to this: the certificate was generated from a Palo Alto Networks device.
https://groups.google.com/forum/#!topic/mozilla.dev.security...
If Palo Alto aren't willing to implement CT, which I'm pretty sure they aren't because they're a legitimate company whose business isn't driven by people who abuse globally-valid certificates, then (regardless of whether SCTs can be forged in theory) that alone would have prevented the attack.