Careto Hacking Group Revealed as Spanish Government Spy Operation

More than ten years ago, cybersecurity researchers at Kaspersky uncovered a sophisticated hacking operation that went far beyond their initial suspicions. Initially thought to be linked to a known government-backed group, the investigation revealed a highly advanced Spanish-speaking hacking collective they named Careto, meaning "ugly face" or "mask" in Spanish, derived from a string found in the malware’s code.

Careto’s malware was remarkably stealthy and capable of stealing highly sensitive information such as private conversations, keystrokes, encryption keys, VPN configurations, and even data from mobile devices. Its targets spanned government institutions, embassies, energy companies, research centers, and activists across 31 countries, with a notable focus on Cuba, Spain, Brazil, Morocco, and Gibraltar.

The Cuban government was a key victim, with one institution heavily targeted. This was significant given Cuba’s harboring of ETA members, a Basque terrorist group, which aligned with Spain’s geopolitical interests. Internal Kaspersky sources, though never publicly disclosed, expressed high confidence that Careto was operated by Spanish government hackers, a rare example of a Western state-backed espionage group.

Careto’s infection methods relied heavily on spearphishing campaigns using malicious links impersonating Spanish newspapers and politically charged content related to ETA and Basque news. Once victims clicked these links, the malware exploited device-specific vulnerabilities to infect systems while redirecting users to legitimate websites to avoid suspicion.

Kaspersky’s discovery was partly enabled by Careto’s exploitation of a vulnerability in Kaspersky’s own antivirus software, which was widely used in Cuba, controlling around 90% of the island’s internet security market. This ubiquity allowed Careto to target a broad range of victims on the island.

After Kaspersky publicly revealed Careto’s existence in 2014, the group abruptly ceased operations, wiping its infrastructure in a highly sophisticated manner that underscored its elite status among government hacking groups. This disappearance lasted until 2024, when Kaspersky detected Careto malware again targeting organizations in Latin America and Central Africa.

The renewed attacks demonstrated Careto’s continued expertise, including the ability to activate microphones covertly, steal session cookies, capture screenshots, and implant backdoors and keyloggers. Despite their caution, researchers identified telltale signs linking these operations to Careto’s historic activity, confirming the group’s persistence and sophistication.

Careto joins a very exclusive list of Western government hacking groups publicly discussed, alongside the U.S. Equation Group and CIA-linked Lamberts, and France’s Animal Farm. While Kaspersky maintains a strict no-attribution policy publicly, internal confidence in Spain’s involvement remains strong among former researchers.

The Careto saga highlights the complex world of state-sponsored cyber espionage, where geopolitical interests drive highly sophisticated cyberattacks targeting sensitive government and corporate data. Its story underscores the importance of advanced threat intelligence and vigilance in cybersecurity.

For organizations operating in geopolitically sensitive regions or sectors, understanding groups like Careto is crucial. Their ability to remain undetected for years and then reemerge with advanced capabilities serves as a stark reminder that cyber threats from nation-states are persistent and evolving.