Full Report
The elusive hacking group Careto was never publicly linked to a specific government, but TechCrunch has learned researchers concluded privately that the Spanish government was behind the group.
Analysis Summary
# Threat Actor: Careto (The Mask)
## Attribution & Identity
* **Identification:** A highly advanced Spanish-speaking threat actor/hacking group.
* **Known Aliases:** The Mask.
* **Attribution:** Never publicly linked to a specific government by Kaspersky. However, sources within Kaspersky who investigated the group were "convinced" that Careto was a hacking team working for the **Spanish government**. Careto is considered one of the few publicly discussed Western government hacking groups.
## Activity Summary
* Careto was first identified over a decade ago by Kaspersky researchers who initially mistook its traffic for a known government-backed group.
* The group conducts sophisticated espionage operations.
* Recent activity has shown the group is still operating effectively, making small mistakes that allowed modern researchers to link new operations back to the original decade-old activity.
* In a recent operation against an unnamed Latin American victim, Careto compromised an email server before planting its malware.
* The group is described as a "very small advanced persistent threat that surpasses all those large ones in complexity."
## Tactics, Techniques & Procedures
* **Data Exfiltration:** Capable of stealing highly sensitive data, including private conversations and keystrokes.
* **Persistence/Infection:** Plants sophisticated, stealthy malware on compromised systems.
* **Espionage Capabilities:** Utilizes implants that function as a backdoor, keylogger, and screenshot-taker.
* **System Compromise:** In one instance, malware was found capable of stealthily switching on a computer's microphone while hiding the associated Windows alert icon.
* **Credential Theft:** Steals session cookies (allowing unauthorized access to accounts) and web browsing histories from multiple browsers.
* **Operational Security:** Generally conducts cyber attacks with "extreme caution," though recent operations showed minor mistakes.
* **Discovery Artifact:** The name "Careto" (Spanish slang for "ugly face" or "mask") was found buried within the malware's code by the discovering researchers.
## Targeting
* **Sectors:** Government institutions and private companies.
* **Geography:** Targeted victims globally, including Cuba, Brazil, Morocco, Spain, and Gibraltar.
* **Victims:** Initial investigation sparked by infection of a staff member ("patient zero") of a **Cuban government institution**. Targeted entities in Cuba were noted as having the highest concentration of victims, potentially due to suspected presence of the Basque terrorist organization ETA in the country at the time. Targeting in Spain and Gibraltar is considered geographically "telling" given Spain’s territorial claims over Gibraltar.
## Tools & Infrastructure
* **Malware Families Used:** Stealthy, advanced espionage malware capable of extensive device control, keylogging, and data theft. Implants function as a backdoor, keylogger, and screenshot-taker.
* **Infrastructure (C2, domains, IPs):** Not detailed in the provided context.
## Implications
* Careto represents a highly complex, state-level espionage capability, considered by some former researchers to be more complex than larger, known government APTs (like Lazarus or APT41).
* The group’s perceived link to the Spanish government places it in a small category of publicly discussed Western government hacking units (alongside groups linked to the US and France).
* Their continued, sophisticated operations years after initial discovery indicate persistent, high-level governmental intelligence requirements.
## Mitigations
* (No specific, technical mitigations were detailed in the article, as the focus was on attribution and historical activity.)
* General defense guidance would involve hardening email servers against intrusion (as recent activity started with email server compromise) and employing advanced endpoint detection to spot sophisticated keylogging and unauthorized microphone activity.