More than a decade ago, researchers at antivirus company Kaspersky identified suspicious internet traffic of what they thought was a known government-backed group, based on similar targeting and its phishing techniques. Soon, the researchers realized they had found a much more advanced hacking operation that was targeting the Cuban government, among others. (View Highlight)
Eventually the researchers were able to attribute the network activity to a mysterious — and at the time completely unknown — Spanish-speaking hacking group that they called Careto, after the Spanish slang word (“ugly face” or “mask” in English), which they found buried within the malware’s code. (View Highlight)
Careto was never publicly linked to a specific government. But TechCrunch has now learned that the researchers who first discovered the group were convinced that Spanish government hackers were behind Careto’s espionage operations. (View Highlight)
When Kaspersky first revealed the existence of Careto in 2014, its researchers called the group “one of the most advanced threats at the moment,” with its stealthy malware capable of stealing highly sensitive data, including private conversations and keystrokes from the computers it compromised, much akin to powerful government spyware today. Careto’s malware was used to hack into government institutions and private companies around the world. (View Highlight)
Kaspersky avoided publicly blaming who it thought was behind Careto. But internally, according to several people who worked at Kaspersky at the time and had knowledge of the investigation, its researchers concluded that Careto was a hacking team working for the Spanish government. (View Highlight)
Careto is one of only a handful of Western government hacking groups that has ever been discussed in public, along with U.S. government units such as Equation Group, widely believed to be the U.S. National Security Agency; the Lamberts, believed to be the CIA; and the French government group known as Animal Farm, which was behind the Babar and Dino malware. In a rare admission, Bernard Barbier, former head of the French intelligence service DGSE publicly confirmed the French government was indeed behind Babar. (View Highlight)
“It all started with a guy who worked for the Cuban government who got infected,” the third former Kaspersky employee, with knowledge of the Careto investigation, told TechCrunch. The person, who referred to the Cuban government victim as “patient zero,” said that it appeared the Careto hackers were interested in Cuba because during that time there were members of the Basque terrorist organization ETA in the country. (View Highlight)
“Internally we knew who did it,” the third former Kaspersky employee said, adding that they had “high confidence” it was the Spanish government. Two other former Kaspersky employees, who also had knowledge of the investigation, said the researchers likewise concluded Spain was behind the attacks. (View Highlight)
After Kaspersky discovered the group’s malware in 2014 and, as a result, learned how to identify other computers compromised by it, the researchers found evidence of Careto infections all over the world, compromising victims in 31 countries spanning several continents. (View Highlight)
In Africa, the group’s malware was found in Algeria, Morocco, and Libya; in Europe, it targeted victims in France, Spain, and the United Kingdom. In Latin America, there were victims in Brazil, Colombia, Cuba, and Venezuela. (View Highlight)
Spain had its own particular interest in Cuba in the preceding years. As an exiled Cuban government official told the Spanish daily El Pais at the end of 2013, there were around 15 members of the terror group ETA who lived in Cuba with the approval of the local government. In 2014, a leaked U.S. diplomatic cable noted that Cuba had given refuge to ETA terrorists for years. Earlier in 2010, a Spanish judge ordered the arrest of ETA members living in Cuba. (View Highlight)
Kaspersky researchers wrote that they were able to find evidence that the Careto malware existed as far back as 2007, and found subsequent versions of Careto capable of exploiting Windows PCs, Macs, and Linux computers. The researchers said they found possible evidence of code capable of targeting Android devices and iPhones. (View Highlight)
First, the company researchers noted that they found a string in the malware code that was particularly interesting: “Caguen1aMar.” That string is a contraction for the popular Spanish expletive, “me cago en la mar,” which literally means “I sh–t in the sea,” but roughly translates to “f—k,” a phrase typically used in Spain, and not in other Spanish-speaking countries. (View Highlight)
Kaspersky said in 2014 that the Careto group’s malware was one of the “most advanced threats” of the time for its ability to grab highly sensitive data from a victim’s computer. Kaspersky said the malware could also intercept internet traffic, Skype conversations, encryption (PGP) keys, and VPN configurations, take screenshots, and “fetch all information from Nokia devices.” (View Highlight)
The Careto group relied in large part on spearphishing emails that contained malicious links impersonating Spanish newspapers like El País, El Mundo, and Público, and videos about political subjects and food recipes. One of the former Kaspersky employees told TechCrunch that the phishing links also included references to ETA and Basque news, which Kaspersky’s report omitted. (View Highlight)
