This is the Careto group, which infiltrated the networks of several countries.
14ymedio, Madrid, 26 May 2025 — Almost anyone with an internet connection in Cuba was exposed to spying by Careto [Mask], a group of hackers from the Spanish government that operated in about 30 countries between 2007 and 2014, according to research. Although the existence of the malware was known 11 years ago, as revealed in a report from the cybersecurity firm Kaspersky, it was not until this May that at least three experts have directly pointed to Spanish authorities as responsible for the network.
“There was no doubt about it, at least none that was reasonable,” one of them told the American magazine TechCrunch. Kaspersky’s experts detected a spyware that attacked, between those dates, at least 1,000 Internet providers from 31 countries, among which the Government of Cuba was a priority.
The experts argued at that time that the interest was very possibly linked to the presence of up to 15 members of the ETA terrorist group in the country, a conclusion reached by seeing the profile of people attacked by the virus, linked to the Government of Cuba and a particular institution, which was never revealed.
The interest was very possibly linked to the presence of up to 15 members of the ETA terrorist group on the Island
The investigation began precisely with a member of the Cuban government who was infected and referred to as “patient zero,” which led to the discovery that Careto hackers attacked the network and specific government systems in Cuba, according to another former Kaspersky employee. This demonstrated “the attackers’ interest,” he said.
“Internally we knew who did it,” said one of the sources, adding that they had “high certainty” that it was the Spanish government. The other two respondents endorse the same thesis and claim that one of the rules was to be careful when it came to revealing the links of some western governments in operations of this type. “It didn’t spread because I think they didn’t want to reveal the identity of a government like that,” a fourth former employee of the company added. “At Kaspersky we had a strict no-attribution policy. Sometimes it was strained, but never broken.”
The software, of a phishing type, was considered “one of the most advanced threats of the moment.” It was very stealthy and had the ability to steal conversations and “highly sensitive” data once it infected the computer, which arrived with emails supposedly coming from well-known media such as El País, El Mundo or Público, as well as recipes and political videos.
When a user clicked on one of the infected links, a code capable of piracy was installed on the computer
One of the former employees who has now spoken with TechCrunch said that among those links, some referred to ETA news or were about issues in the Basque Country, although the 2014 report did not include it. When a user clicked on one of the infected links, a code capable of piracy was installed on the computer while it redirected itself to a legitimate website so as not to arouse suspicion, according to the report.
This code contained several words in Spanish, among them the aforementioned Careto – colloquially used as a bad face – but also another that served to establish exactly the location of the network. This was the contraction ’Caguen1aMar’, which replaces ’Me Cago en el Mar’ [I shit in the sea], exclusive to Spain and not used in other Spanish-speaking countries.
Cuba was not the only target country. Indeed, other spies further confirmed the connection with Spain, including Gibraltar – a British colony located in the south of the Iberian Peninsula – Brazil, Morocco and some targets within the country itself.
Kaspersky, now asked, disconnects from the identification. “We don’t do any formal attribution,” a spokesman told TechCrunch. Meanwhile, the Cuban government has not answered questions from the media; nor has the Spanish Ministry of Defense. The investigated period affects the governments of José Luis Rodríguez Zapatero and Mariano Rajoy, although Careto returned to operating after 2014, presumably now disconnected from state authorities.
Careto stopped all operations when the report became known, even deleting their records, something “unusual,” according to experts
In Africa, the group’s malware was found in Algeria, Morocco and Libya; in Europe, it attacked in France, Spain and the UK. In Latin America, in addition to those already mentioned, Colombia and Venezuela were not spared either. Those affected were diverse and dispersed in all countries except for Gibraltar, Morocco, Switzerland and Cuba, where the target was a specific government institution.
In addition to attacking state institutions, embassies and diplomatic legations, Kaspersky pointed out intrusions by Careto, since 2007, into energy companies, institutions and activists; present on computers with Windows, Mac and Linux, as well as in code capable of attacking Android devices and iPhones. The malware could intercept internet traffic, Skype conversations, encryption keys (PGP) and VPN settings, take screenshots and get all the information from Nokia devices.
Careto stopped all operations when the report was known, even deleting their records, something “unusual” according to experts. The group went straight into the cyber spy elite. “You can’t do that if you’re not prepared,” one of the sources told TechCrunch. ” They destroyed everything, all the infrastructure, systematically and quickly. Boom! It simply disappeared.”
But it didn’t go away completely. Kaspersky found Careto again in 2019, 2022 and 2024, in an organization that had already been spied on in 2014 in Latin America, and another, this time new, in a central African country. Neither of them has been identified in this case. The tactics, techniques and procedures (TTP) are, they claim, extremely similar to those used a decade ago. However, more recent research suggests that it is no longer linked to the Government of Spain and warns that recent mistakes are small but fatal. “What entity was it? Who developed the malware? From a technical perspective, it is impossible to know,” two experts said.
This time the hackers broke into the email server of a Latin American victim, whose name has not been revealed, and then installed the malware, stealing all kinds of data. In the case of the African, another type of screen-capturing code was used. Despite being detected and making more mistakes than in their previous phase, analysts consider them very good, ahead of Lazarus Group (North Korea) and APT41 (China), or at the level of Equation Group and Lamberts (USA) or Animal Farm (France).
Careto is, for them, a “small threat, but one that surpasses in complexity those big ones. Their attacks are a masterpiece.”
Translated by Regina Anavy
____________
COLLABORATE WITH OUR WORK: The 14ymedio team is committed to practicing serious journalism that reflects Cuba’s reality in all its depth. Thank you for joining us on this long journey. We invite you to continue supporting us by becoming a member of 14ymedio now. Together we can continue transforming journalism in Cuba.
