Nation-state operation
In a way, it reminds me of Stuxnet: a sophisticated attack, capable of breaching almost any Siemens PLC system in the world...but which only activated on a specific target.
This isn't exactly the same, of course; but why would a criminal hacker infect millions of computers with a powerful backdoor that can compromise the system at the firmware level, but which only triggered against 600 specific users? Plus, it chose targets by MAC address, so the attacker needed to know in advance the MAC addresses of its targets.
As Rain Man might say, "Definitely nation-state. Definitely. Definitely."