The paper says that they compromised machines by guessing credentials -- not by breaking crypto. ("Four simple stupid default telnet passwords" is how the paper refers to the scope of the vulnerability.)
Agreed, I just happened to skim over the paper to spot any similarities but there appear to be none; in fact the paper's authors have used EC2 instances---a legal means. Also noteworthy difference is the paper's limited attention to SSH/TLS ports.