Yes, I didn't put it in the article because it was getting too long otherwise, but the attacker immediately tried brute-forcing the root account, and after a handful of common passwords ("qwerty", "qwerty123", "pizza" among those) he found "password".
I was able to find all the attempts by looking at the I/O activity of the sshd process, and also the syslog activity recorded every attempt.
Doesn't your system refuse root login by ssh by default ? If I remember correctly, on ubuntu server, sshd is configured by default to not allow root login from remote addresses.
On some providers yes, in fact I explicitly enabled root SSH login for those.
Other providers (such as Digital Ocean) use the root account by default even for Ubuntu, although the password is set to a really secure and random one.
I was able to find all the attempts by looking at the I/O activity of the sshd process, and also the syslog activity recorded every attempt.