Careto Hacking Group Linked to Spanish Government - Report

A Decade-Old Mystery: Unmasking the Careto Hacking Group

Over ten years ago, security researchers at Kaspersky detected unusual internet activity. Initial assessments suggested a known, state-sponsored hacking group was responsible, based on comparable targeting methods and phishing techniques.

Further investigation revealed a significantly more sophisticated hacking operation. This operation was actively targeting the Cuban government, alongside other entities.

The Emergence of "Careto"

Researchers eventually traced the network activity to a previously unknown, Spanish-speaking hacking group. They named it "Careto," derived from a Spanish slang term meaning “ugly face” or “mask,” which was discovered embedded within the malware’s code.

While never officially connected to a specific government, TechCrunch has learned that the original researchers strongly believed Spanish government hackers were operating behind Careto’s espionage activities.

Careto's Capabilities and Global Reach

In 2014, when Kaspersky first publicized Careto’s existence, they described the group as “one of the most advanced threats” at the time.

Its malware was remarkably stealthy, capable of extracting highly sensitive data. This included private communications and keystrokes from compromised computers, mirroring the functionality of modern government-level spyware.

Careto’s malware was deployed to infiltrate government institutions and private companies across the globe.

Internal Conclusions at Kaspersky

Kaspersky refrained from publicly assigning blame for Careto’s actions. However, sources within the company, familiar with the investigation, confirm that researchers internally concluded the hacking team was affiliated with the Spanish government.

“There was no reasonable doubt about that,” stated a former Kaspersky employee, speaking anonymously.

A Rare Breed: Western Government Hacking Groups

Careto stands as one of the few Western government hacking groups to be publicly discussed. Others include U.S. entities like Equation Group (linked to the NSA), the Lamberts (believed to be the CIA), and the French group Animal Farm, responsible for the Babar and Dino malware.

Bernard Barbier, a former head of French intelligence, publicly acknowledged the French government’s involvement with Babar.

The Spanish government now joins this exclusive group of Western state-sponsored hacking operations.

The Cuban Connection

The initial impetus for Kaspersky’s investigation into Careto stemmed from the targeting of a specific government network in Cuba, according to a second former Kaspersky employee.

A compromised individual within the Cuban government, referred to as “patient zero,” became the focal point of the investigation.

It is believed that Careto’s interest in Cuba was linked to the presence of members from the Basque separatist organization ETA within the country at that time.

Linking Careto to Spain

Kaspersky’s technical reports indicated that Cuba suffered the highest number of attacks per country during the investigation. A specific, unnamed Cuban government institution was identified as a primary target, demonstrating “the current interest of the attackers.”

This Cuban connection ultimately provided key evidence linking Careto to Spain, according to former Kaspersky staff.

“We internally knew who was responsible,” one source stated, expressing “high confidence” in the Spanish government’s involvement. This assessment was echoed by two other former Kaspersky employees.

A Policy of Non-Attribution

Despite these internal conclusions, Kaspersky opted not to publicly disclose its findings. A former researcher explained that the company had a “strict ‘no attribution’ policy,” which was rarely deviated from.

“It wasn’t broadcast because I think they didn’t want to publicly accuse a government,” the researcher added.

Broader Targeting and Responses

Beyond Cuba, Careto’s operations extended to numerous other targets. These included entities in Brazil, Morocco, Spain, and notably, Gibraltar – a British territory claimed by Spain.

Kaspersky declined to comment on its researchers’ internal assessments. Spokesperson Mai Al Akkad stated, “We don’t engage in any formal attribution.”

The Spanish Ministry of Defense and the Cuban government did not respond to requests for comment.

The Unveiling of Careto

Following its initial discovery of the group's malware in 2014, and the subsequent ability to identify compromised systems, Kaspersky researchers documented Careto infections globally, impacting victims across 31 nations and multiple continents.

The malware’s presence was detected in Algeria, Morocco, and Libya within Africa, and in France, Spain, and the United Kingdom in Europe. Latin American victims were identified in Brazil, Colombia, Cuba, and Venezuela.

Targeting Patterns and Significance

Kaspersky’s technical analysis highlighted Cuba as a primary focus, with all targeted victims belonging to a single institution, a detail considered noteworthy by the researchers.

Spain had demonstrated a particular interest in Cuba in prior years. An exiled Cuban government official, speaking to the Spanish newspaper El Pais in late 2013, indicated approximately 15 members of the ETA terror group resided in Cuba with the local government’s consent. A leaked U.S. diplomatic cable from 2014 confirmed Cuba had provided refuge to ETA terrorists for years. Furthermore, a Spanish judge issued arrest warrants for ETA members living in Cuba earlier in 2010.

The Spanish online news source, El Diario, observed that targeting nations like Brazil and Gibraltar would align with the Spanish government’s “geostrategic interests.” Spain was actively seeking a consortium of public and private entities to secure a contract for constructing a high-speed railway between Rio de Janeiro and São Paulo in Brazil.

Scope of Targets

Beyond governmental bodies, embassies, and diplomatic organizations, the Careto group also targeted entities within the energy sector, research institutions, and activist groups, according to Kaspersky.

Researchers at Kaspersky were able to trace the existence of Careto malware back to 2007, identifying subsequent iterations capable of compromising Windows, macOS, and Linux systems. Evidence also suggested potential code targeting Android and iOS devices.

Attribution Hints

While Kaspersky refrained from publicly disclosing its internal attribution, its findings contained strong indicators pointing towards Spain.

A specific string within the malware code, “Caguen1aMar,” drew attention. This is a shortened form of the Spanish phrase “me cago en la mar,” a colloquial expression roughly equivalent to “f—k,” predominantly used in Spain, unlike other Spanish-speaking regions.

Accompanying the announcement of Careto’s discovery in 2014, Kaspersky released a map illustrating the targeted countries. This map included an image of a mask adorned with bull’s horns and a nose ring – the bull being a national symbol of Spain – alongside castanets and the colors of the Spanish flag.

The map’s details underscored the importance of Cuba to Careto. For each country, Kaspersky included icons denoting the types of targets identified. Cuba was the sole nation with a government institution marked as compromised, alongside Gibraltar, Morocco – a strategic espionage target due to its proximity and territorial disputes with Spain – and Switzerland.

Technical Capabilities

In 2014, Kaspersky characterized the Careto group’s malware as one of the most sophisticated threats of its time, due to its capacity to extract highly sensitive data from compromised computers.

The malware could intercept internet traffic, capture Skype conversations, steal encryption keys (PGP), and obtain VPN configurations. It was also capable of taking screenshots and retrieving data from Nokia devices.

Attack Vectors and Tactics

The Careto group heavily relied on spearphishing emails containing malicious links, often impersonating reputable Spanish newspapers such as El País, El Mundo, and Público. Emails also featured videos on political topics and cooking recipes. A former Kaspersky employee revealed to TechCrunch that phishing links referenced ETA and Basque news, information omitted from Kaspersky’s official report.

Clicking these links resulted in infection via an exploit targeting the user’s specific device, followed by redirection to a legitimate webpage to avoid raising suspicion, as detailed in Kaspersky’s report.

The group exploited a vulnerability, now patched, in older versions of Kaspersky’s antivirus software, which was initially how the malware was discovered by the company itself.

Dominance in Cuba and Operational Shutdown

The widespread use of Kaspersky’s software in Cuba effectively enabled Careto to target a significant portion of the island’s internet users. By 2018, the Russian antivirus firm controlled approximately 90% of Cuba’s internet security market, according to Cuba Standard, and its name had become integrated into local slang.

Shortly after Kaspersky published its research, the Careto hackers dismantled their operations, meticulously wiping logs – an action researchers deemed “not very common” and indicative of an elite government hacking group.

“Such thoroughness requires preparation,” a former Kaspersky employee explained to TechCrunch. “They systematically and rapidly destroyed everything, the entire infrastructure. It simply vanished.”

Careto's Resurgence

Following a period of inactivity, no cybersecurity firm, including Kaspersky, publicly acknowledged re-detecting Careto’s operations – until recently.

In May 2024, Kaspersky announced the re-emergence of Careto’s malware. The group was observed targeting an organization in Latin America that had experienced prior compromises in 2022, 2019, and on a previous occasion over ten years ago.

Kaspersky also reported that Careto successfully breached a second, unnamed organization situated in Central Africa.

A subsequent blog post in December 2024 detailed Kaspersky researchers’ attribution of these new intrusions to Careto, assessed with “medium to high confidence.” This assessment was based on strikingly similar filenames to those utilized in Careto’s activities from a decade prior, alongside consistent tactics, techniques, and procedures (TTPs).

Analysis of Recent Activity

Researchers Georgy Kucherin and Marc Rivero López, who presented their findings at the Virus Bulletin security conference in October 2024, noted that Careto consistently executes cyber attacks with a high degree of caution.

However, they also observed that the group committed minor, yet critical errors during their latest operations, mirroring activity from a decade earlier.

Despite these observations, Kucherin conveyed to TechCrunch that the identity of the individuals or the government backing the Careto hacking group remains unknown.

“A nation state is a likely possibility,” Kucherin stated. “However, pinpointing the specific entity and the malware’s developers is technically impossible.”

Kaspersky’s latest report indicates that the attackers gained access to the Latin American victim’s email server before deploying their malware.

Analysis of compromised systems revealed the malware’s capability to secretly activate the computer’s microphone – concealing the standard Windows indicator – and exfiltrate various data types.

This included personal documents, session cookies enabling passwordless account access, and browsing histories from multiple web browsers.

In another instance, the report details the use of a suite of implants functioning as a backdoor, a keylogger, and a screenshot capture tool.

Continued Sophistication

Despite being detected, Kucherin asserts that the Careto hackers maintain a high level of skill, comparable to their capabilities observed over a decade ago.

When contrasted with larger, state-sponsored hacking groups like North Korea’s Lazarus Group and China’s APT41, Kucherin characterizes Careto as a “very small advanced persistent threat” that exceeds these larger groups in complexity.

“Their attacks represent a remarkable level of craftsmanship,” Kucherin concluded.