Mysterious Hacking Group Careto Linked to Spanish Government, Sources Reveal
For over a decade, cybersecurity researchers at Kaspersky have been investigating suspicious internet activity, eventually uncovering a sophisticated, Spanish-speaking hacking group they dubbed Careto, meaning “ugly face” or “mask” in Spanish slang. While Careto’s activities, which included targeting the Cuban government, were well-documented, the group’s backers remained a mystery. Now, sources speaking to TechCrunch reveal that Kaspersky researchers were convinced the Spanish government was behind Careto’s espionage operations.
Kaspersky’s initial report in 2014 described Careto as “one of the most advanced threats at the moment,” capable of stealing sensitive data, private conversations, and keystrokes, similar to modern government spyware. The malware infiltrated government institutions and private companies worldwide.
Despite the public silence, several former Kaspersky employees with knowledge of the investigation claim that researchers internally concluded Careto was a hacking team working for the Spanish government. One former employee stated there was “no reasonable doubt” about this conclusion.
Careto joins a small list of Western government hacking groups publicly discussed, including the U.S. government’s Equation Group (believed to be the NSA), the CIA’s Lamberts, and France’s Animal Farm.
The investigation into Careto began with the hacking of a Cuban government network, which led researchers to suspect the group’s interest stemmed from the presence of members of the Basque terrorist organization ETA in Cuba at the time. Kaspersky’s report highlighted that Cuba had the highest number of victims, all belonging to the same government institution.
Apart from Cuba, Careto targeted entities in Brazil, Morocco, Spain, and Gibraltar. Kaspersky’s decision not to publicly attribute the attacks was attributed to a strict “no attribution” policy.
After discovering the group’s malware in 2014, Kaspersky identified Careto infections in 31 countries across multiple continents, targeting government institutions, embassies, energy companies, research institutions, and activists. The malware exploited Windows, Mac, and Linux computers, with potential code for Android and iPhones.
Hints pointing to Spain included the string “Caguen1aMar” found in the malware code, a Spanish expletive. Kaspersky’s 2014 announcement included an illustration with a mask, bull’s horns, castanets, and the Spanish flag’s colors.
Careto primarily used spearphishing emails with malicious links impersonating Spanish newspapers and content related to political subjects and food recipes. The hackers also exploited a vulnerability in older versions of Kaspersky’s antivirus software.
Following Kaspersky’s report, Careto ceased operations, wiping logs, which researchers considered unusual and indicative of an “elite” government hacking group.
In May 2024, Kaspersky announced the reappearance of Careto’s malware, targeting an unnamed organization in Latin America and another in Central Africa. Researchers attributed the new hacks to Careto with “medium to high confidence,” based on similar filenames and tactics.
Despite this, Kaspersky researchers maintain they cannot definitively identify the government behind the Careto hacking group.
Kaspersky’s most recent report detailed how Careto hackers breached an email server, planting malware capable of activating a computer’s microphone, stealing files, and accessing web browsing histories.
