IssueMakersLab attributed the March 20 attacks on South Korean broadcasters and banks to a hacker group it said had conducted a long-running campaign against South Korea since 2007. The report connected the March 2013 activity to earlier operations through shared C2 protocol traits, an identical 16-character compression password, repeated command-control artifacts, two RSA key pairs used for C2 and stolen-data encryption, and similar development paths. It said the group used encrypted collection keywords, including terms related to military exercises and the U.S. Army, to search for and steal files from South Korean targets. Before the destructive March 20 attacks, malware without collection keywords was reportedly placed in affected broadcasters and banks, while keyword-bearing malware was distributed to other critical South Korean institutions. The findings matter because they frame the wiper incident as part of a broader espionage-focused campaign rather than a standalone disruption.