Mysterious hacking group Careto was run by the Spanish government sources say TechCrunch
p
Latest
pp
AI
pp
Amazon
pp
Apps
pp
Biotech Health
pp
Climate
pp
Cloud Computing
pp
Commerce
pp
Crypto
pp
Enterprise
pp
EVs
pp
Fintech
pp
Fundraising
pp
Gadgets
pp
Gaming
pp
Google
pp
Government Policy
pp
Hardware
pp
Instagram
pp
Layoffs
pp
Media Entertainment
pp
Meta
pp
Microsoft
pp
Privacy
pp
Robotics
pp
Security
pp
Social
pp
Space
pp
Startups
pp
TikTok
pp
Transportation
pp
Venture
pp
Events
pp
Startup Battlefield
pp
StrictlyVC
pp
Newsletters
pp
Podcasts
pp
Videos
pp
Partner Content
pp
TechCrunch Brand Studio
pp
Crunchboard
pp
Contact Us
ppMore than a decade ago researchers at antivirus company Kaspersky identified suspicious internet traffic of what they thought was a known governmentbacked group based on similar targeting and its phishing techniques Soon the researchers realized they had found a much more advanced hacking operation that was targeting the Cuban government among othersppEventually the researchers were able to attribute the network activity to a mysterious and at the time completely unknown Spanishspeaking hacking group that they called Careto after the Spanish slang word ugly face or mask in English which they found buried within the malwares code ppCareto was never publicly linked to a specific government But TechCrunch has now learned that the researchers who first discovered the group were convinced that Spanish government hackers were behind Caretos espionage operationsppWhen Kaspersky first revealed the existence of Careto in 2014 its researchers called the group one of the most advanced threats at the moment with its stealthy malware capable of stealing highly sensitive data including private conversations and keystrokes from the computers it compromised much akin to powerful government spyware today Caretos malware was used to hack into government institutions and private companies around the worldppKaspersky avoided publicly blaming who it thought was behind Careto But internally according to several people who worked at Kaspersky at the time and had knowledge of the investigation its researchers concluded that Careto was a hacking team working for the Spanish government ppThere was no doubt of that at least no reasonable doubt one of the former employees told TechCrunch who like other sources in this story agreed to speak on condition of anonymity to discuss sensitive mattersppCareto is one of only a handful of Western government hacking groups that has ever been discussed in public along with US government units such as Equation Group widely believed to be the US National Security Agency the Lamberts believed to be the CIA and the French government group known as Animal Farm which was behind the Babar and Dino malware In a rare admission Bernard Barbier former head of the French intelligence service DGSE publicly confirmed the French government was indeed behind Babar ppThe Spanish government now joins this small group of Western government hacking groupsppEarly in its investigation Kaspersky discovered that the Careto hackers had targeted a particular government network and systems in Cuba according to a second former Kaspersky employee ppIt was this Cuban government victim that sparked Kasperskys investigation into Careto according to the people speaking with TechCrunchppIt all started with a guy who worked for the Cuban government who got infected the third former Kaspersky employee with knowledge of the Careto investigation told TechCrunch The person who referred to the Cuban government victim as patient zero said that it appeared the Careto hackers were interested in Cuba because during that time there were members of the Basque terrorist organization ETA in the countryppKaspersky researchers noted in a technical report published after their discovery that Cuba had by far the most number of victims per country at the time of the investigation into Caretos activities specifically one unnamed Cuban government institution which the report said showed the current interest of the attackers ppThis Cuban government victim would prove key to link Careto to Spain according to the former Kaspersky employeesppInternally we knew who did it the third former Kaspersky employee said adding that they had high confidence it was the Spanish government Two other former Kaspersky employees who also had knowledge of the investigation said the researchers likewise concluded Spain was behind the attacks ppThe company however decided not to disclose it It wasnt broadcast because I think they didnt want to out a government like that a fourth former Kaspersky researcher said We had a strict no attribution policy at Kaspersky Sometimes that policy was stretched but never brokenppApart from Cuba other Careto targets also pointed to Spain The espionage operation affected hundreds of victims in Brazil Morocco Spain itself and perhaps tellingly Gibraltar the disputed British enclave on the Iberian peninsula that Spain has long claimed as its own territoryppKaspersky declined to answer questions about its researchers conclusionsppWe dont engage in any formal attribution Kaspersky spokesperson Mai Al Akkad told TechCrunch in an emailppThe Spanish Ministry of Defense declined to comment The Cuban government did not respond to emails sent to its Ministry of Foreign AffairsppAfter Kaspersky discovered the groups malware in 2014 and as a result learned how to identify other computers compromised by it the researchers found evidence of Careto infections all over the world compromising victims in 31 countries spanning several continents ppIn Africa the groups malware was found in Algeria Morocco and Libya in Europe it targeted victims in France Spain and the United Kingdom In Latin America there were victims in Brazil Colombia Cuba and Venezuela ppIn its technical report Kaspersky said that Cuba had the most victims that were being targeted with all belonging to the same institution which the researchers perceived as of significance to the hackers at that point in time ppSpain had its own particular interest in Cuba in the preceding years As an exiled Cuban government official told the Spanish daily El Pais at the end of 2013 there were around 15 members of the terror group ETA who lived in Cuba with the approval of the local government In 2014 a leaked US diplomatic cable noted that Cuba had given refuge to ETA terrorists for years Earlier in 2010 a Spanish judge ordered the arrest of ETA members living in CubappWhen covering the news of the discovery of Careto the Spanish online news outlet El Diario noted that targeting countries such as Brazil and Gibraltar would favor the Spanish governments geostrategic interests The Spanish government had been pushing for a consortium of governmentowned and private companies to win a bid to build a highspeed railway in Brazil from Rio de Janeiro to São Paulo ppAside from targeting government institutions embassies and diplomatic organizations Kaspersky said the Careto group also targeted energy companies research institutions and activists ppKaspersky researchers wrote that they were able to find evidence that the Careto malware existed as far back as 2007 and found subsequent versions of Careto capable of exploiting Windows PCs Macs and Linux computers The researchers said they found possible evidence of code capable of targeting Android devices and iPhonesppWhile Kaspersky didnt make its internal attribution public its researchers left clear hints that pointed to Spain ppFirst the company researchers noted that they found a string in the malware code that was particularly interesting Caguen1aMar That string is a contraction for the popular Spanish expletive me cago en la mar which literally means I sht in the sea but roughly translates to fk a phrase typically used in Spain and not in other Spanishspeaking countries ppWhen Kaspersky announced its discovery of Careto in 2014 the company published a map showing all the countries that the hacking group had targeted Along with the map Kaspersky included an illustration of a mask with bulls horns and a nose ring the bull is a national symbol of Spain castanets or clackers an instrument used in Spanish folk music and the red and yellow colors of the Spanish flag ppA detail in the map revealed how important Cuba was for Careto For certain countries Kaspersky added icons specifying what type of targets it was able to identify The map showed Cuba had a single hacked victim marked as a government institution Gibraltar Morocco whose proximity and territorial disputes make it a strategic espionage target for Spain and Switzerland were the only other territories with a government victimppKaspersky said in 2014 that the Careto groups malware was one of the most advanced threats of the time for its ability to grab highly sensitive data from a victims computer Kaspersky said the malware could also intercept internet traffic Skype conversations encryption PGP keys and VPN configurations take screenshots and fetch all information from Nokia devicesppThe Careto group relied in large part on spearphishing emails that contained malicious links impersonating Spanish newspapers like El País El Mundo and Público and videos about political subjects and food recipes One of the former Kaspersky employees told TechCrunch that the phishing links also included references to ETA and Basque news which Kasperskys report omitted ppWhen clicking on these malicious links the victim would get infected using an exploit that hacked the users specific device then redirected to a legitimate web page so as to not raise suspicions according to Kasperskys report ppThe Careto operators also took advantage of a sincepatched vulnerability in older versions of Kasperskys antivirus software which the company said in its 2014 published report was how it first discovered the malware ppThe ubiquity of Kasperskys software in Cuba effectively made it possible for Careto to target almost anyone on the island with an internet connection By 2018 the Russian antivirus company controlled some 90 of the islands internet security market according to Cuba Standard an independent news website The antivirus is so popular across the country that the companys name has become part of the local slang ppBut soon after Kaspersky published its research the Careto hackers shut down all of its operations discovered by the Russian firm going as far as wiping its logs which researchers noted was not very common and put Careto into the elite section of government hacking groupsppYou cant do that if youre not prepared one of the former Kaspersky employees told TechCrunch They systematically and in a quick manner destroyed the whole thing the whole infrastructure Boom It was just goneppAfter Careto went dark neither Kaspersky nor any other cybersecurity company publicly reported detecting Careto again until last year ppKaspersky announced in May 2024 that it had found Caretos malware once again saying it saw the group target an unnamed organization in Latin America that was previously compromised by the hacking group most recently in 2022 again in 2019 and on another occasion more than 10 years agoppCareto also hacked a second unnamed organization located in Central Africa said KasperskyppIn a blog post later in December 2024 Kasperskys researchers attributed the new hacks to Careto with medium to high confidence based in part on filenames that were alarmingly similar to filenames found in Caretos activities from a decade ago as well as overlapping tactics techniques and procedures or TTPs a cybersecurity expression that refers to the unique behaviors of a certain hacking groupppKaspersky researchers Georgy Kucherin and Marc Rivero López who wrote a paper and presented their research at the Virus Bulletin security conference in October 2024 said Careto has always conducted cyber attacks with extreme caution but still managed to make small but fatal mistakes during their recent operations that matched activity from Careto a decade earlierppDespite that Kucherin told TechCrunch that they dont know who or which government is behind the Careto hacking group ppIts likely a nation state said Kucherin But what entity it was who developed the malware From a technical perspective its impossible to tellpp ppAccording to Kasperskys most recent report this time the Careto hackers broke into the unnamed Latin American victims email server and then planted its malware ppIn one of the hacked machines the researchers analyzed Kaspersky found that Caretos malware could surreptitiously switch on the computers microphone while hiding the Windows icon that normally alerts the user that the mic is on steal files such as personal documents session cookies that can allow access to accounts without needing a password web browsing histories from several browsers and moreppIn the case of another victim according to the report Careto hackers used a set of implants that work as a backdoor a keylogger and a screenshottaker ppDespite the fact that they got caught and compared to what Kaspersky found more than a decade ago Kucherin said that the Careto hackers are still that goodppCompared to the larger and more wellknown governmentbacked hacking groups like the North Korean Lazarus Group and Chinas APT41 Kucherin said Careto is a very small advanced persistent threat that surpasses all those large ones in complexityppTheir attacks are a masterpiece said KucherinppTopicspp
Senior Reporter Cybersecurity
pp 2025 TechCrunch Media LLCp
Latest
pp
AI
pp
Amazon
pp
Apps
pp
Biotech Health
pp
Climate
pp
Cloud Computing
pp
Commerce
pp
Crypto
pp
Enterprise
pp
EVs
pp
Fintech
pp
Fundraising
pp
Gadgets
pp
Gaming
pp
pp
Government Policy
pp
Hardware
pp
pp
Layoffs
pp
Media Entertainment
pp
Meta
pp
Microsoft
pp
Privacy
pp
Robotics
pp
Security
pp
Social
pp
Space
pp
Startups
pp
TikTok
pp
Transportation
pp
Venture
pp
Events
pp
Startup Battlefield
pp
StrictlyVC
pp
Newsletters
pp
Podcasts
pp
Videos
pp
Partner Content
pp
TechCrunch Brand Studio
pp
Crunchboard
pp
Contact Us
ppMore than a decade ago researchers at antivirus company Kaspersky identified suspicious internet traffic of what they thought was a known governmentbacked group based on similar targeting and its phishing techniques Soon the researchers realized they had found a much more advanced hacking operation that was targeting the Cuban government among othersppEventually the researchers were able to attribute the network activity to a mysterious and at the time completely unknown Spanishspeaking hacking group that they called Careto after the Spanish slang word ugly face or mask in English which they found buried within the malwares code ppCareto was never publicly linked to a specific government But TechCrunch has now learned that the researchers who first discovered the group were convinced that Spanish government hackers were behind Caretos espionage operationsppWhen Kaspersky first revealed the existence of Careto in 2014 its researchers called the group one of the most advanced threats at the moment with its stealthy malware capable of stealing highly sensitive data including private conversations and keystrokes from the computers it compromised much akin to powerful government spyware today Caretos malware was used to hack into government institutions and private companies around the worldppKaspersky avoided publicly blaming who it thought was behind Careto But internally according to several people who worked at Kaspersky at the time and had knowledge of the investigation its researchers concluded that Careto was a hacking team working for the Spanish government ppThere was no doubt of that at least no reasonable doubt one of the former employees told TechCrunch who like other sources in this story agreed to speak on condition of anonymity to discuss sensitive mattersppCareto is one of only a handful of Western government hacking groups that has ever been discussed in public along with US government units such as Equation Group widely believed to be the US National Security Agency the Lamberts believed to be the CIA and the French government group known as Animal Farm which was behind the Babar and Dino malware In a rare admission Bernard Barbier former head of the French intelligence service DGSE publicly confirmed the French government was indeed behind Babar ppThe Spanish government now joins this small group of Western government hacking groupsppEarly in its investigation Kaspersky discovered that the Careto hackers had targeted a particular government network and systems in Cuba according to a second former Kaspersky employee ppIt was this Cuban government victim that sparked Kasperskys investigation into Careto according to the people speaking with TechCrunchppIt all started with a guy who worked for the Cuban government who got infected the third former Kaspersky employee with knowledge of the Careto investigation told TechCrunch The person who referred to the Cuban government victim as patient zero said that it appeared the Careto hackers were interested in Cuba because during that time there were members of the Basque terrorist organization ETA in the countryppKaspersky researchers noted in a technical report published after their discovery that Cuba had by far the most number of victims per country at the time of the investigation into Caretos activities specifically one unnamed Cuban government institution which the report said showed the current interest of the attackers ppThis Cuban government victim would prove key to link Careto to Spain according to the former Kaspersky employeesppInternally we knew who did it the third former Kaspersky employee said adding that they had high confidence it was the Spanish government Two other former Kaspersky employees who also had knowledge of the investigation said the researchers likewise concluded Spain was behind the attacks ppThe company however decided not to disclose it It wasnt broadcast because I think they didnt want to out a government like that a fourth former Kaspersky researcher said We had a strict no attribution policy at Kaspersky Sometimes that policy was stretched but never brokenppApart from Cuba other Careto targets also pointed to Spain The espionage operation affected hundreds of victims in Brazil Morocco Spain itself and perhaps tellingly Gibraltar the disputed British enclave on the Iberian peninsula that Spain has long claimed as its own territoryppKaspersky declined to answer questions about its researchers conclusionsppWe dont engage in any formal attribution Kaspersky spokesperson Mai Al Akkad told TechCrunch in an emailppThe Spanish Ministry of Defense declined to comment The Cuban government did not respond to emails sent to its Ministry of Foreign AffairsppAfter Kaspersky discovered the groups malware in 2014 and as a result learned how to identify other computers compromised by it the researchers found evidence of Careto infections all over the world compromising victims in 31 countries spanning several continents ppIn Africa the groups malware was found in Algeria Morocco and Libya in Europe it targeted victims in France Spain and the United Kingdom In Latin America there were victims in Brazil Colombia Cuba and Venezuela ppIn its technical report Kaspersky said that Cuba had the most victims that were being targeted with all belonging to the same institution which the researchers perceived as of significance to the hackers at that point in time ppSpain had its own particular interest in Cuba in the preceding years As an exiled Cuban government official told the Spanish daily El Pais at the end of 2013 there were around 15 members of the terror group ETA who lived in Cuba with the approval of the local government In 2014 a leaked US diplomatic cable noted that Cuba had given refuge to ETA terrorists for years Earlier in 2010 a Spanish judge ordered the arrest of ETA members living in CubappWhen covering the news of the discovery of Careto the Spanish online news outlet El Diario noted that targeting countries such as Brazil and Gibraltar would favor the Spanish governments geostrategic interests The Spanish government had been pushing for a consortium of governmentowned and private companies to win a bid to build a highspeed railway in Brazil from Rio de Janeiro to São Paulo ppAside from targeting government institutions embassies and diplomatic organizations Kaspersky said the Careto group also targeted energy companies research institutions and activists ppKaspersky researchers wrote that they were able to find evidence that the Careto malware existed as far back as 2007 and found subsequent versions of Careto capable of exploiting Windows PCs Macs and Linux computers The researchers said they found possible evidence of code capable of targeting Android devices and iPhonesppWhile Kaspersky didnt make its internal attribution public its researchers left clear hints that pointed to Spain ppFirst the company researchers noted that they found a string in the malware code that was particularly interesting Caguen1aMar That string is a contraction for the popular Spanish expletive me cago en la mar which literally means I sht in the sea but roughly translates to fk a phrase typically used in Spain and not in other Spanishspeaking countries ppWhen Kaspersky announced its discovery of Careto in 2014 the company published a map showing all the countries that the hacking group had targeted Along with the map Kaspersky included an illustration of a mask with bulls horns and a nose ring the bull is a national symbol of Spain castanets or clackers an instrument used in Spanish folk music and the red and yellow colors of the Spanish flag ppA detail in the map revealed how important Cuba was for Careto For certain countries Kaspersky added icons specifying what type of targets it was able to identify The map showed Cuba had a single hacked victim marked as a government institution Gibraltar Morocco whose proximity and territorial disputes make it a strategic espionage target for Spain and Switzerland were the only other territories with a government victimppKaspersky said in 2014 that the Careto groups malware was one of the most advanced threats of the time for its ability to grab highly sensitive data from a victims computer Kaspersky said the malware could also intercept internet traffic Skype conversations encryption PGP keys and VPN configurations take screenshots and fetch all information from Nokia devicesppThe Careto group relied in large part on spearphishing emails that contained malicious links impersonating Spanish newspapers like El País El Mundo and Público and videos about political subjects and food recipes One of the former Kaspersky employees told TechCrunch that the phishing links also included references to ETA and Basque news which Kasperskys report omitted ppWhen clicking on these malicious links the victim would get infected using an exploit that hacked the users specific device then redirected to a legitimate web page so as to not raise suspicions according to Kasperskys report ppThe Careto operators also took advantage of a sincepatched vulnerability in older versions of Kasperskys antivirus software which the company said in its 2014 published report was how it first discovered the malware ppThe ubiquity of Kasperskys software in Cuba effectively made it possible for Careto to target almost anyone on the island with an internet connection By 2018 the Russian antivirus company controlled some 90 of the islands internet security market according to Cuba Standard an independent news website The antivirus is so popular across the country that the companys name has become part of the local slang ppBut soon after Kaspersky published its research the Careto hackers shut down all of its operations discovered by the Russian firm going as far as wiping its logs which researchers noted was not very common and put Careto into the elite section of government hacking groupsppYou cant do that if youre not prepared one of the former Kaspersky employees told TechCrunch They systematically and in a quick manner destroyed the whole thing the whole infrastructure Boom It was just goneppAfter Careto went dark neither Kaspersky nor any other cybersecurity company publicly reported detecting Careto again until last year ppKaspersky announced in May 2024 that it had found Caretos malware once again saying it saw the group target an unnamed organization in Latin America that was previously compromised by the hacking group most recently in 2022 again in 2019 and on another occasion more than 10 years agoppCareto also hacked a second unnamed organization located in Central Africa said KasperskyppIn a blog post later in December 2024 Kasperskys researchers attributed the new hacks to Careto with medium to high confidence based in part on filenames that were alarmingly similar to filenames found in Caretos activities from a decade ago as well as overlapping tactics techniques and procedures or TTPs a cybersecurity expression that refers to the unique behaviors of a certain hacking groupppKaspersky researchers Georgy Kucherin and Marc Rivero López who wrote a paper and presented their research at the Virus Bulletin security conference in October 2024 said Careto has always conducted cyber attacks with extreme caution but still managed to make small but fatal mistakes during their recent operations that matched activity from Careto a decade earlierppDespite that Kucherin told TechCrunch that they dont know who or which government is behind the Careto hacking group ppIts likely a nation state said Kucherin But what entity it was who developed the malware From a technical perspective its impossible to tellpp ppAccording to Kasperskys most recent report this time the Careto hackers broke into the unnamed Latin American victims email server and then planted its malware ppIn one of the hacked machines the researchers analyzed Kaspersky found that Caretos malware could surreptitiously switch on the computers microphone while hiding the Windows icon that normally alerts the user that the mic is on steal files such as personal documents session cookies that can allow access to accounts without needing a password web browsing histories from several browsers and moreppIn the case of another victim according to the report Careto hackers used a set of implants that work as a backdoor a keylogger and a screenshottaker ppDespite the fact that they got caught and compared to what Kaspersky found more than a decade ago Kucherin said that the Careto hackers are still that goodppCompared to the larger and more wellknown governmentbacked hacking groups like the North Korean Lazarus Group and Chinas APT41 Kucherin said Careto is a very small advanced persistent threat that surpasses all those large ones in complexityppTheir attacks are a masterpiece said KucherinppTopicspp
Senior Reporter Cybersecurity
pp 2025 TechCrunch Media LLCp
