Careto Malware: Was it a Spanish Government Operation?

Over a decade ago, Kaspersky researchers uncovered a sophisticated hacking operation, dubbed "Careto" (Spanish for "ugly face" or "mask"). Initially identified through suspicious internet traffic, Careto targeted the Cuban government and other entities with advanced malware capable of stealing highly sensitive data.

While Kaspersky publicly attributed the operation to an unknown Spanish-speaking group in 2014, sources now reveal that internal researchers strongly suspected the Spanish government's involvement. Several former Kaspersky employees with knowledge of the investigation confirmed this suspicion to TechCrunch, stating their "high confidence" in the Spanish government link.

Targeting Cuba and Beyond

The investigation began after a Cuban government official, dubbed "patient zero," was infected. Sources suggest the Spanish government's interest in Cuba stemmed from the presence of ETA (Basque terrorist organization) members in the country. Kaspersky's technical report highlighted Cuba as having the most victims, all within a single government institution.

Careto's targets extended beyond Cuba, including Brazil, Morocco, Spain, and Gibraltar – a disputed British territory claimed by Spain. These targets align with Spain's geostrategic interests, as noted by Spanish news outlet El Diario.

Kaspersky's 2014 report described Careto's malware as "one of the most advanced threats" at the time, capable of intercepting internet traffic, Skype conversations, encryption keys, and VPN configurations. The malware also targeted Windows, Mac, and Linux systems, with potential capabilities for Android and iPhone compromise.

Clues Pointing to Spain

While Kaspersky maintained a "no attribution" policy, several clues hinted at Spanish involvement. The malware code contained the Spanish expletive "Caguen1aMar." Kaspersky's accompanying illustration featured a mask with bull horns, castanets, and the Spanish flag's colors.

Careto primarily used spearphishing emails disguised as links to Spanish newspapers and videos on political topics or food recipes. Some phishing links also referenced ETA and Basque news, omitted from Kaspersky's public report.

Careto Resurfaces

After going dark, Careto reemerged in 2024, targeting organizations in Latin America and Central Africa. Kaspersky attributed these attacks to Careto with "medium to high confidence" based on similar filenames and tactics.

Despite being caught, Careto's operators remain highly skilled. Kaspersky researcher Georgy Kucherin described their attacks as a "masterpiece," highlighting their complexity compared to larger, more well-known state-sponsored groups.

Both the Spanish Ministry of Defense and the Cuban government declined to comment on these revelations.