Notice that they left out the entire Tor circuit, I assume because they imagine we have a basic idea of how Tor works, but might not know the intricate details of the hidden service specific algorithms. They probably have not mentioned guards yet because so far they are completely irrelevant to what they are discussing, which is the hidden service protocol. All of the circuits utilized make use of guard nodes, but there isn't any particular reason for them to point this out yet. They are not impersonating hidden service directories, they are making it so that they are selected as the hidden service directories. This is a slight modification to the attack from 2006 that caused guard nodes to be introduced in the first place, essentially they are saying that if they are selected as the hidden services guard node they can deanonymize the hidden service by making it open a circuit to their malicious rendezvous node (which actually isn't even required, since they can just be the client, which is in itself enough for 1/2 of a timing attack). It doesn't say anything about introduction points. I still have not read this paper but it seems that they are talking about two different attacks. One attack works to censor the hidden service, and also to position yourself for 1/2 of a timing attack against the hidden service and/or its clients, but the other attack is for enumeration of all hidden service .onion addresses, which can then be used in combination with the 2006 attack to deanonymize some percentage of the identified hidden services. In the 2006 attack they brute force circuits by making the server open new circuits to rendezvous node until they own its entry node, in this attack they 'brute enumerate' hidden services in the hopes that they own some of their entry guards.