The Mask Unmasked: Inside Kaspersky's Secret Attribution of the Elite Careto Hacking Group to the Spanish Government

In the complex and often shadowy world of state-sponsored cyber espionage, attribution is a delicate and frequently avoided subject. Cybersecurity firms often uncover sophisticated hacking operations, track their movements, and analyze their tools, but publicly naming the responsible government entity is rare. This is especially true for Western governments, whose cyber activities are seldom discussed in the open compared to groups linked to nations like Russia, China, Iran, or North Korea.

More than a decade ago, researchers at the antivirus company Kaspersky stumbled upon what initially appeared to be the work of a known government-backed group. They observed suspicious internet traffic exhibiting familiar targeting and phishing techniques. However, as they delved deeper, they realized they had uncovered something far more advanced – a highly sophisticated hacking operation targeting the Cuban government, among others. This elusive group would eventually be named Careto, derived from the Spanish slang word for "ugly face" or "mask," a term found hidden within the malware's code.

When Kaspersky first revealed the existence of Careto in 2014, its researchers lauded it as "one of the most advanced threats at the moment." The group's stealthy malware was designed to steal highly sensitive data, including private conversations, keystrokes, and various files from compromised computers, mirroring the capabilities of powerful government spyware seen today. Careto's operations spanned the globe, successfully compromising government institutions and private companies across numerous countries.

Despite the public disclosure of Careto's technical prowess and widespread targeting, Kaspersky maintained its official stance of not engaging in formal attribution. However, TechCrunch has now learned from multiple former Kaspersky employees with direct knowledge of the investigation that, internally, the researchers reached a clear conclusion: the Careto hacking team was working for the Spanish government.

"There was no doubt of that, at least no reasonable [doubt]," one former employee told TechCrunch, speaking on condition of anonymity to discuss sensitive internal matters. This internal consensus places the Spanish government among a small, publicly discussed group of Western nations believed to operate sophisticated hacking units, alongside entities widely associated with the U.S. (like Equation Group and the Lamberts) and France (like Animal Farm, linked to Babar and Dino malware). Notably, a former head of French intelligence publicly confirmed France's role in Babar.

The decision not to publicly attribute Careto to Spain was a conscious one, driven by Kaspersky's strict "no attribution" policy regarding nation-states. "It wasn’t broadcast because I think they didn’t want to out a government like that," a fourth former researcher explained. "We had a strict ‘no attribution’ policy at Kaspersky. Sometimes that policy was stretched but never broken."

Kaspersky declined to comment on its researchers' internal conclusions, with a spokesperson stating, "We don’t engage in any formal attribution." The Spanish Ministry of Defense also declined to comment, and the Cuban government did not respond to inquiries.

The Genesis of the Investigation: A Cuban Connection

According to former Kaspersky employees, the investigation into Careto was sparked by a single victim: an individual working for the Cuban government. This "patient zero," as one source referred to them, was infected by the sophisticated malware, drawing the attention of Kaspersky researchers.

Early in their investigation, Kaspersky discovered that the Careto hackers had specifically targeted a particular government network and systems within Cuba. The technical report published by Kaspersky in 2014 after their discovery highlighted Cuba as having the most victims per country at that time, specifically noting one unnamed Cuban government institution. The report stated this showed "the current interest of the attackers."

The focus on Cuba proved to be a crucial piece of the puzzle linking Careto to Spain. During the period of Careto's activity, Spain had a specific interest in Cuba related to members of the Basque terrorist organization ETA. An exiled Cuban government official told the Spanish newspaper El Pais in late 2013 that around 15 ETA members were living in Cuba with the Cuban government's approval. A leaked U.S. diplomatic cable in 2014 also noted Cuba's history of providing refuge to ETA terrorists. Furthermore, a Spanish judge had ordered the arrest of ETA members living in Cuba as early as 2010. This context strongly suggested that Spain would have a compelling intelligence interest in monitoring individuals and institutions in Cuba connected to ETA.

Beyond Cuba, Careto's other targets also aligned with Spanish geostrategic interests. The operation affected hundreds of victims across 31 countries, with significant numbers in Brazil, Morocco, Spain itself, and Gibraltar. The targeting of Brazil was notable because, at the time, the Spanish government was actively pushing for a consortium of Spanish companies to win a lucrative bid to build a high-speed railway line between Rio de Janeiro and São Paulo. Espionage against Brazilian entities involved in this project could provide a significant advantage. The targeting of Morocco and Gibraltar is also telling, given Spain's proximity to Morocco and its long-standing territorial dispute over Gibraltar, a British enclave on the Iberian peninsula that Spain claims as its own. As the Spanish online news outlet El Diario noted when covering Careto's discovery, targeting countries like Brazil and Gibraltar would favor the Spanish government's "geostrategic interests."

In addition to government institutions, embassies, and diplomatic organizations, Kaspersky's report indicated that Careto also targeted energy companies, research institutions, and activists, suggesting a broad intelligence collection mandate.

Linguistic and Cultural Breadcrumbs

While Kaspersky adhered to its public "no attribution" policy, the researchers left clear hints in their public reporting and associated materials that strongly pointed towards Spain. One significant clue was a specific string found within the malware code: "Caguen1aMar." This is a contraction of the popular Spanish expletive, "me cago en la mar," which literally translates to "I sh--t in the sea." While vulgar, it's a common phrase in Spain, less so in other Spanish-speaking countries, serving as a linguistic fingerprint.

Further reinforcing the Spanish connection was the imagery Kaspersky used when announcing the discovery of Careto in 2014. Alongside a map detailing the victim countries, Kaspersky included an illustration of a mask adorned with symbols strongly associated with Spain: bull's horns and a nose ring (the bull is a national symbol), castanets (an instrument used in Spanish folk music), and the prominent use of the red and yellow colors of the Spanish flag.

The map itself provided further subtle confirmation of the Spanish focus. While showing infections across 31 countries, specific icons indicated the type of victim in certain locations. Cuba was marked with a single icon representing a government institution – the "patient zero" that initiated the investigation. Gibraltar, Morocco, and Switzerland were the only other territories explicitly marked with a government victim icon, underscoring the significance of these targets, all of which hold particular relevance to Spanish foreign policy and intelligence interests.

Technical Sophistication and Stealth

Careto's technical capabilities were, and remain, highly advanced. Kaspersky researchers found evidence of the malware dating back as far as 2007, indicating a long-running operation. The group developed versions of its malware capable of exploiting Windows, Macs, and Linux computers, and found possible evidence of code targeting Android and iPhones. This multi-platform capability is a hallmark of sophisticated state-sponsored groups.

The primary infection vector for Careto was spearphishing emails. These emails contained malicious links carefully crafted to appear legitimate, often impersonating well-known Spanish newspapers like El País, El Mundo, and Público. The lures included politically themed content or even seemingly innocuous topics like food recipes. Crucially, some phishing links also included references to ETA and Basque news, a detail omitted from Kaspersky's public report but shared by a former employee, further linking the operation's focus to Spanish concerns.

Upon clicking a malicious link, victims were infected using an exploit tailored to their specific device. To avoid suspicion, the victim's browser would then be redirected to a legitimate web page. This seamless infection chain demonstrated a high level of operational security and technical skill.

Adding another layer of sophistication, the Careto operators even exploited a vulnerability in older versions of Kaspersky's own antivirus software. Ironically, it was this exploitation that first alerted Kaspersky to the group's existence, as detailed in their 2014 report.

The prevalence of Kaspersky's software in Cuba played a role in the group's ability to target individuals there. By 2018, Kaspersky reportedly controlled around 90% of Cuba's internet security market, according to Cuba Standard. The company's name had even become part of local slang, highlighting its widespread use.

Perhaps the most striking demonstration of Careto's elite status was its reaction to being discovered. Soon after Kaspersky published its research in 2014, the Careto hackers executed a rapid and systematic shutdown of their entire discovered infrastructure. They went as far as wiping their logs, a move described by researchers as "not very common" and indicative of a highly prepared and professional operation. "You can’t do that if you’re not prepared," a former employee noted. "They systematically, and in a quick manner, destroyed the whole thing, the whole infrastructure. Boom. It was just gone." This swift disappearance made further tracking extremely difficult.

The Mask Returns: Careto Resurfaces After a Decade

Following its abrupt disappearance in 2014, Careto remained undetected by public cybersecurity firms for nearly a decade. This long period of silence underscored the group's discipline and ability to operate in the shadows.

However, in May 2024, Kaspersky announced that it had once again found traces of Careto's activity. The group was observed targeting an unnamed organization in Latin America that had been previously compromised by Careto as far back as 2012, and more recently in 2019 and 2022. Careto also targeted a second unnamed organization located in Central Africa.

In a blog post published in December 2024, Kaspersky researchers Georgy Kucherin and Marc Rivero López attributed these new hacks to Careto "with medium to high confidence." Their analysis was based on several factors, including the use of filenames that were "alarmingly similar" to those seen in Careto's operations a decade prior, as well as overlapping tactics, techniques, and procedures (TTPs) – the unique behavioral patterns that help identify a specific hacking group.

Kucherin and Rivero López, who also presented their findings at the Virus Bulletin security conference in October 2024 (paper, presentation), noted that Careto "has always conducted cyber attacks with extreme caution," but despite this, they "managed to make small but fatal mistakes during their recent operations" that mirrored activity from their earlier campaigns.

Despite the renewed detection, Kucherin told TechCrunch that the researchers still do not know definitively who or which government is behind the group. "It’s likely a nation state," said Kucherin. "But what entity it was, who developed the malware? From a technical perspective, it’s impossible to tell." This highlights the inherent difficulty in achieving definitive, publicly verifiable attribution, even for highly skilled researchers.

Kaspersky's most recent report provides details on Careto's updated methods. In the case of the Latin American victim, the hackers reportedly broke into the organization's email server before deploying their malware. Analysis of one compromised machine revealed that the new Careto malware is capable of surreptitiously activating the computer's microphone (while hiding the usual Windows indicator), stealing files (including personal documents, session cookies for bypassing passwords, and web browsing histories from multiple browsers), and more.

For another victim, the Careto hackers utilized a suite of implants functioning as a backdoor, a keylogger, and a tool for taking screenshots. These capabilities demonstrate a continued focus on deep system compromise and data exfiltration, consistent with the goals of state-sponsored espionage.

Despite being caught again, Kucherin emphasized that the Careto hackers remain highly skilled. Compared to larger and more widely known government-backed groups like North Korea's Lazarus Group or China's APT41, Kucherin described Careto as a "very small [advanced persistent threat] that surpasses all those large ones in complexity." He concluded, "Their attacks are a masterpiece."

The resurfacing of Careto after a long hiatus underscores the persistent nature of state-sponsored cyber espionage. While cybersecurity firms may uncover and disrupt operations, the actors behind them often possess the resources and patience to adapt, rebuild, and continue their activities. The internal conclusion by Kaspersky researchers that the Spanish government was behind Careto, supported by the circumstantial evidence of targeting patterns, linguistic clues, and cultural indicators, provides a rare glimpse into the clandestine cyber operations conducted by Western nations, operations that typically remain hidden behind a veil of secrecy and plausible deniability.