The OpenSSL server is a virtual server which shares a hypervisor with other customers of the same ISP. Our investigation found that the attack was made through insecure passwords at the hosting provider, leading to control of the hypervisor management console, which then was used to manipulate our virtual server.
Sounds like their hosting provider has reason to be embarrassed. That would be Indit Hosting of Sweden. Just to be clear, in case it's not clear from the description: there was no vulnerability exploited in the attack. Indit Hosting simply didn't follow best practice for passwords.
Does your hosting service use strong passwords? It might be worth asking.