A recent investigation suggests that the mysterious hacking group known as Careto may have had ties to the Spanish government. The Kaspersky people found Careto in 2014. Since then, North Korea has become infamous for carrying out advanced cyber-attacks in 31 nations on four continents. The group’s malware had found a happy home in Cuba. It especially targeted a government facility linked to the members of the Basque separatist organization ETA.
Kaspersky research Georgy Kucherin and Jew Marc Rivero López detailed their discoveries yesterday at the Virus Bulletin security conference. Photo Credit: Charles Snyder This event was held in Portland, OR in October 2024. The research highlighted Careto’s intricate malware capabilities, which included the ability to activate a computer’s microphone without detection, steal files, and harvest session cookies. This particularly pernicious software has gotten so much attention that it has prompted fears of state-sponsored cyber-espionage to come home to roost.
Careto’s Global Reach and Targets
Careto’s malware was an extremely pervasive attack. It debuted on the African continent in Algeria and Morocco, as well as around Europe in France, Spain and the United Kingdom. The group’s activities in Cuba were particularly alarming. Sources indicate that one unnamed Cuban government institution had become a focal point for Careto’s operations.
The curiosity towards Cuba goes back to the personal links that the Caribbean country had with members of ETA. These reports indicate that as of the end of 2013 some 15 ETA members were permanently residing in Cuba with the Cuban government’s authorization. This lack of engagement and action made Cuba a strategic target for Careto.
In terms of technical sophistication, Georgy Kucherin said Careto’s attacks were a “masterpiece,” stressing how complicated they were. He noted that the group has “always conducted cyber attacks with extreme caution,” a characteristic that sets them apart from other hacking entities. He revealed that Careto “managed to make small but fatal mistakes during their recent operations,” which ultimately contributed to their exposure.
The Technical Sophistication of Careto
Kaspersky undertook to reverse-engineer Careto’s malware, and discovered its complex coding architecture. Among the discoveries was an especially jarring string, “Caguen1aMar,” which translates from Spanish as “F—k your mom.” According to Kaspersky sources, the manner with which Careto operated, especially with the erasing of logs and other digital footprints, was truly notable.
They methodically, and in a very rapid way, leveled the entire thing, the entire infrastructure. Boom. It was like poof… it was just gone,” said a former Kaspersky employee. This extraordinary level of operational security is what makes Careto exceptional compared to most hacking groups. It serves to show how much resources Careto had available to it.
Even with this level of sophistication, the Kaspersky researchers had difficulty in conclusively attributing most of the attacks to a single actor. It’s probably a nation state,” Kucherin said, underscoring the pervasive suspicion of government complicity. He added, “from a technical perspective, it’s impossible to tell” who exactly developed the malware.
The Silence Over Attribution
Though plenty of conjecture persists about Careto’s affiliation, Kaspersky has decided not to pursue formal attributions. Mai Al Akkad, a spokesperson for Kaspersky, reiterated the company’s position against attributing cyber incidents. “We don’t engage in any formal attribution,” she stated.
Internally we knew who dunnit,” said one source. They decided not to publish this very compelling information in the public domain due to arguments about the political sensitivities involved.
“It wasn’t broadcast because I think they didn’t want to out a government like that,” said another former researcher. This prudent policy stance is understandable, given the myriad complexities present when responding to state-sponsored cyber behavior.
